Edit tour
Windows
Analysis Report
1ppvR5VRT6.exe
Overview
General Information
| Sample name: | 1ppvR5VRT6.exe |
| Analysis ID: | 1466840 |
| MD5: | 12b29055a6b47a95b2fe8bcd19859c70 |
| SHA1: | 8279ee3c9d9b8fa8f91e6dac00bb1e70cee42793 |
| SHA256: | 8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e |
| Infos: |   |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Check if machine is in data center or colocation facility
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64native
1ppvR5VRT6.exe (PID: 4524 cmdline: "C:\Users\ user\Deskt op\1ppvR5V RT6.exe" MD5: 12B29055A6B47A95B2FE8BCD19859C70) - 1ppvR5VRT6.exe (PID: 9536 cmdline:
"C:\Users\ user\Deskt op\1ppvR5V RT6.exe" MD5: 12B29055A6B47A95B2FE8BCD19859C70)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security |
| Source: | Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: | ||
| Source: | Author: frack113: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 5_2_00405861 | |
| Source: | Code function: | 5_2_0040639C | |
| Source: | Code function: | 5_2_004026F8 | |
| Source: | Code function: | 9_2_00405861 | |
| Source: | Code function: | 9_2_004026F8 | |
| Source: | Code function: | 9_2_0040639C | |
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 5_2_004052FE | |
| Source: | Code function: | 5_2_0040330D | |
| Source: | Code function: | 9_2_0040330D | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 5_2_00406725 | |
| Source: | Code function: | 5_2_00404B3D | |
| Source: | Code function: | 9_2_00406725 | |
| Source: | Code function: | 9_2_00404B3D | |
| Source: | Code function: | 9_2_001688F8 | |
| Source: | Code function: | 9_2_001638F8 | |
| Source: | Code function: | 9_2_00164910 | |
| Source: | Code function: | 9_2_0016BB68 | |
| Source: | Code function: | 9_2_0016EF70 | |
| Source: | Code function: | 9_2_00164040 | |
| Source: | Code function: | 9_2_390E2120 | |
| Source: | Code function: | 9_2_390E38C8 | |
| Source: | Code function: | 9_2_390E80F8 | |
| Source: | Code function: | 9_2_390EA310 | |
| Source: | Code function: | 9_2_390E31E0 | |
| Source: | Code function: | 9_2_001689B0 | |
| Source: | Code function: | 9_2_0016BF10 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 5_2_0040330D | |
| Source: | Code function: | 9_2_0040330D | |
| Source: | Code function: | 5_2_004045CA | |
| Source: | Code function: | 5_2_004020CB | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 5_2_10001A5D | |
| Source: | Code function: | 5_2_10002D4E | |
| Source: | Code function: | 9_2_390E15B1 | |
| Source: | Code function: | 9_2_390E1531 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | HTTP traffic detected: | ||
| Source: | WMI Queries: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 5_2_00405861 | |
| Source: | Code function: | 5_2_0040639C | |
| Source: | Code function: | 5_2_004026F8 | |
| Source: | Code function: | 9_2_00405861 | |
| Source: | Code function: | 9_2_004026F8 | |
| Source: | Code function: | 9_2_0040639C | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_5-4286 | ||
| Source: | API call chain: | graph_5-4475 | ||
| Source: | Code function: | 5_2_10001A5D | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 5_2_0040330D | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Access Token Manipulation | 11 Masquerading | 2 OS Credential Dumping | 311 Security Software Discovery | Remote Services | 1 Email Collection | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 11 Process Injection | 12 Virtualization/Sandbox Evasion | 1 Credentials in Registry | 12 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Disable or Modify Tools | Security Account Manager | 1 System Network Configuration Discovery | SMB/Windows Admin Shares | 2 Data from Local System | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | 1 Clipboard Data | 12 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 126 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 50% | ReversingLabs | Win32.Trojan.GuLoader |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ip-api.com | 208.95.112.1 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | true | |
| 185.222.58.113 | unknown | Netherlands | 51447 | ROOTLAYERNETNL | false |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1466840 |
| Start date and time: | 2024-07-03 14:00:11 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 15m 36s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
| Run name: | Suspected Instruction Hammering |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 1ppvR5VRT6.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/12@1/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe
- Excluded domains from analysis (whitelisted): assets.msn.com, ctldl.windowsupdate.com, nexusrules.officeapps.live.com, api.msn.com
- Execution Graph export aborted for target 1ppvR5VRT6.exe, PID 9536 because it is empty
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: 1ppvR5VRT6.exe
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 208.95.112.1 | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| 185.222.58.113 | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ip-api.com | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ROOTLAYERNETNL | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| TUT-ASUS | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nskABB0.tmp\System.dll | Get hash | malicious | GuLoader | Browse | ||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Absorbable.sul
Download File
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 836396 |
| Entropy (8bit): | 0.29759115823756915 |
| Encrypted: | false |
| SSDEEP: | 768:ONjfRwbxYsn1KxrM/MRos6Yumut+ud9j4f7lzZnMkviwCdR/S9krIXLtZkCoVf/1:Q/5y |
| MD5: | 6593DE223564535CE11D13BFB74348CA |
| SHA1: | 5D85AF6A3877470118DDAC318A131C7EB2498BB2 |
| SHA-256: | A57CB464F48B61E87ED20832F2D6EAE93C2669BB13850CB6186248E9B597364C |
| SHA-512: | F0B85A3F75268CB4B08FF7FC18A631ACC4C1D9E8ACA804B9ED8DFC186789BF930467F1C2AE2DCC769AC200557D4FF01ABDA80EA17CE622488D56C264D2941E3F |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Belows.Ran
Download File
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 245207 |
| Entropy (8bit): | 7.5004205547744585 |
| Encrypted: | false |
| SSDEEP: | 6144:tV0Q8Z25kI+0ixDrnlFPo+7/nUqVb+OUGo4RTvI:tGQW25eZJDzVbfBg |
| MD5: | AD0F0ECE9B3EB9F8A85445C0A5C0321B |
| SHA1: | 0BDEE84F313E45C60D9BB50C3BE5A004709DFA72 |
| SHA-256: | 557CE9743F53AA74241E6D3147D14F1D3CDC4C5F1043621DB145663D8471E043 |
| SHA-512: | D25B267FF6C551BA1DFC35E38506C43A0BFAF7350F3D2D3AF5A0E75D803AC5364147FBC4B9645FAF15B63F61BEB8C778D50651746B9F18BAB3140EDDEE269BD4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Milreds.Pub
Download File
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6218 |
| Entropy (8bit): | 4.450693657153253 |
| Encrypted: | false |
| SSDEEP: | 96:MmrEQEHCsEZAxZP0FBbsW29vaAyvK7ZviCI5p:RpEH9f0boNlyveZviCI5p |
| MD5: | 1E7DC4D79053F5FFA0CFF28A1B44241F |
| SHA1: | E9E8671AA0DFFAC33B30018BDE9A434D1D75EF56 |
| SHA-256: | B6AD78B6014239D0845577855808B3DE9BA5B42F5D267892C921CF4E293FADF1 |
| SHA-512: | 94B10A301A746BB25A4E142B70AE4833D4B46C6E07697DDCF2CF3A17C1AB3E0EA1CB962FE2A113E2B37C7D4475710293482614E828082EC323504AA22C2BD0B2 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\Randon17.vgr
Download File
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1089926 |
| Entropy (8bit): | 0.29789121998864304 |
| Encrypted: | false |
| SSDEEP: | 768:DfIbQMnX/cgMWndUtQ//KuGQ+4xRoQoezjVn20Ka17J6T0vbXHtPSeySgSJSejnK:VIbm |
| MD5: | 7978BF27082616FAADE55B22394BBDDC |
| SHA1: | 3CB41F03B1CD775F7F6BC9B95944854DDA87BF36 |
| SHA-256: | B88A13EB0EEDB9BE6E1F809D0B8A55979186DB208858FEDCE5A59B28556B248B |
| SHA-512: | 9A734B8285C96706C434AEDF2ABF6666E82EC257DEFAB74213C50B18A5C7B23B3A48D76FE64E4CC6446CC460095CEA3F37D8029FA28B9198F4A371BA1C23922B |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\keelhauls.scr
Download File
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1078378 |
| Entropy (8bit): | 0.29937849286877016 |
| Encrypted: | false |
| SSDEEP: | 768:N9lotXK6U6HA/zmsIxzvraRwfj+iMbmwrhg2hnwjYBm2GOP9bsWZafCJL6Ir7wxG:QRPMLzJ |
| MD5: | 87A3CE82A211E6022D7145C99EEF5EDC |
| SHA1: | D2AA5DAEF3272ACDEE40657353EBB0BA94728E8D |
| SHA-256: | 66BF6C84307739696EB18D632B6A34755375E61F3C612DC273C7F8F25FCAD938 |
| SHA-512: | 66F2BC1530F6D187749486C7305F069D67964EF5427A6A59F2DC081469F5D608C6E0D2C30EDEF70A6A79E6386BE1528AE2B8725BA704E2D3CF8B2F303D8EB1CF |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\primaveksel.txt
Download File
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 442 |
| Entropy (8bit): | 4.257547597458778 |
| Encrypted: | false |
| SSDEEP: | 12:cITDesyfMA34EmHSFoYHGzqDcnuV/HGgPF7Rl6s:LoMhcozqDV/HzPF+s |
| MD5: | 87308607BBEFDD32639F5BCAD963B8C2 |
| SHA1: | 14A3196B8301243120BD7F9248C5949D718B4DEA |
| SHA-256: | A71BD44CA8EFDA96BA1083D1D36FC2148592CA881CFF674C71B7742A1866B012 |
| SHA-512: | 9019036C6976F9A8BA0F6D5FDE538FFA69C537A320CF09758E2CEB9012F4C106E4D09B15248CA0A695DC7960FFBBF500FF21BD3A17EBD37FE3DE13A0BBC8EA5E |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\skohornet.ser
Download File
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1196385 |
| Entropy (8bit): | 0.29404357461455993 |
| Encrypted: | false |
| SSDEEP: | 768:zrTEDgAwUGxcEEBSF2XVHcg/62u6BEqlktC9le+FplzUtaPQVPKtoQFrqFrepOde:TM2gnM9 |
| MD5: | 11825DAB7ECEA24188448D6DE7D605A5 |
| SHA1: | 90CC6EEC53823CDB2E1946583042699B42C84BFF |
| SHA-256: | E9F3CA77C307A76C115171B367B540D2615F30636A16EE986C852AEF5EAB6409 |
| SHA-512: | 6F0F808DE0DADD0F8E94DF72E1A85828F0BD8E14FB8F4300614901A17C260AF55CFE33EC473FEF34663E8B069BF19306EB32D38E39E60149BD85D83D14C23749 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\skdeskindenes\bromamide\Ozonizing\temperatures.ref
Download File
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 714538 |
| Entropy (8bit): | 0.297157822096001 |
| Encrypted: | false |
| SSDEEP: | 768:eLtWEAnNzz6fiBH4r4D2EBct2GaDNHpDe9SM1hon+wFniYgoZhgBy9:Q |
| MD5: | 17DF408E712C3359E4B58F95E4529F16 |
| SHA1: | 75203C6B467A1174B41DFEFE3795A9B87331808E |
| SHA-256: | 35D50D71AFA6B8169123458A8232CDE1E3D96E3A0E6734045714192B0930D1AA |
| SHA-512: | 7FA7600651CE103DD3F5143036E5EE6B5B3262555D331761BD426898990A6B314E25A018E4B16B395E86E0A023B24DF3796744860E6478EFBFA190EBADBC4253 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 49 |
| Entropy (8bit): | 4.75216571132969 |
| Encrypted: | false |
| SSDEEP: | 3:a6QLQIfLBJXlFGfv:xQkIPeH |
| MD5: | 797DA95245047A54F125FBF3B19FA295 |
| SHA1: | 9E46F51C033836343C4099609F35B9B62C290A00 |
| SHA-256: | A047914D1DB23829E36D3A2A908D83F4B51F5A8194AE090BB9F9AB9F8DDA9128 |
| SHA-512: | 4755C72A469C7C816D7B4A08BFEABFC266AAD029156A301E2592E3AFD16C5DB5FCE44C4475CB83C43B859A06AD069370182FCA5CAFACF4A27D191F4C0AE34A03 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5189645 |
| Entropy (8bit): | 0.8487782738684099 |
| Encrypted: | false |
| SSDEEP: | 6144:M+V0Q8Z25kI+0ixDrnlFPo+7/nUqVb+OUGo4RTvHCEgjq3u:3GQW25eZJDzVbfBPCU3u |
| MD5: | F2C2F667ABAE82BA5080A9D1097BFE7A |
| SHA1: | 71050D7CBAD660B4F81566032423E3E4C28FEE15 |
| SHA-256: | 990DD51136731604141645219F8AB9A5B70BA48C32A7970098E870D7F08B6189 |
| SHA-512: | 727D480D27A76A624425AF8B7F361246F6012D1347164A848B724EADFFF9A7B79A9422999262714280FB4A832CE23B747F717A2A9ECDBE5F4C4188F9F05D18D8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11264 |
| Entropy (8bit): | 5.76781505116372 |
| Encrypted: | false |
| SSDEEP: | 192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa |
| MD5: | 55A26D7800446F1373056064C64C3CE8 |
| SHA1: | 80256857E9A0A9C8897923B717F3435295A76002 |
| SHA-256: | 904FD5481D72F4E03B01A455F848DEDD095D0FB17E33608E0D849F5196FB6FF8 |
| SHA-512: | 04B8AB7A85C26F188C0A06F524488D6F2AC2884BF107C860C82E94AE12C3859F825133D78338FD2B594DFC48F7DC9888AE76FEE786C6252A5C77C88755128A5B |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 25 |
| Entropy (8bit): | 4.163856189774724 |
| Encrypted: | false |
| SSDEEP: | 3:+gMn:8 |
| MD5: | ECB33F100E1FCA0EB01B36757EF3CAC8 |
| SHA1: | 61DC848DD725DB72746E332D040A032C726C9816 |
| SHA-256: | 8734652A2A9E57B56D6CBD22FA9F305FC4691510606BCD2DFCA248D1BF9E79C7 |
| SHA-512: | D56951AC8D3EB88020E79F4581CB9282CA40FAA8ADC4D2F5B8864779E28E5229F5DFE13096CF4B373BBC9BC2AC4BFC58955D9420136FB13537F11C137D633C18 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.226342426240861 |
| TrID: |
|
| File name: | 1ppvR5VRT6.exe |
| File size: | 864'817 bytes |
| MD5: | 12b29055a6b47a95b2fe8bcd19859c70 |
| SHA1: | 8279ee3c9d9b8fa8f91e6dac00bb1e70cee42793 |
| SHA256: | 8e90738e8d2c488ac315737c15f39a977d989200cdb20b42a63a1f7bc8438a1e |
| SHA512: | a8c32e05916de83a58019bf2a053cd5941cca6d3262cbbf533b88ded84a5d56280e92899122e438a835be946fa264e2df6baa03f3035a3ef923e017be677d46f |
| SSDEEP: | 24576:XcIjUna3i8cbVOEFTwskNHelJU/f0V63u:kxZxEFNHe/U/8Su |
| TLSH: | B005F1BF336B580AC09066B709F2D01896F09E5A15BE4A475B72FF68FA7CBC07C4A151 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...s..Y.................b......... |
 | |
| Icon Hash: | 070f4b69d5300d13 |
| Entrypoint: | 0x40330d |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x597FCC73 [Tue Aug 1 00:33:55 2017 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 57e98d9a5a72c8d7ad8fb7a6a58b3daf |
| Instruction |
|---|
| sub esp, 00000184h |
| push ebx |
| push esi |
| push edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+18h], ebx |
| mov dword ptr [esp+10h], 0040A130h |
| mov dword ptr [esp+20h], ebx |
| mov byte ptr [esp+14h], 00000020h |
| call dword ptr [004080A8h] |
| call dword ptr [004080A4h] |
| and eax, BFFFFFFFh |
| cmp ax, 00000006h |
| mov dword ptr [0042472Ch], eax |
| je 00007F3854ADCAD3h |
| push ebx |
| call 00007F3854ADFBA2h |
| cmp eax, ebx |
| je 00007F3854ADCAC9h |
| push 00000C00h |
| call eax |
| mov esi, 00408298h |
| push esi |
| call 00007F3854ADFB1Eh |
| push esi |
| call dword ptr [004080A0h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], bl |
| jne 00007F3854ADCAADh |
| push 0000000Ah |
| call 00007F3854ADFB76h |
| push 00000008h |
| call 00007F3854ADFB6Fh |
| push 00000006h |
| mov dword ptr [00424724h], eax |
| call 00007F3854ADFB63h |
| cmp eax, ebx |
| je 00007F3854ADCAD1h |
| push 0000001Eh |
| call eax |
| test eax, eax |
| je 00007F3854ADCAC9h |
| or byte ptr [0042472Fh], 00000040h |
| push ebp |
| call dword ptr [00408044h] |
| push ebx |
| call dword ptr [00408288h] |
| mov dword ptr [004247F8h], eax |
| push ebx |
| lea eax, dword ptr [esp+38h] |
| push 00000160h |
| push eax |
| push ebx |
| push 0041FCF0h |
| call dword ptr [00408178h] |
| push 0040A1ECh |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8428 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x41000 | 0x5aa38 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x298 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x603c | 0x6200 | 029c8031e2fb36630bb7ccb6d1d379b5 | False | 0.6572464923469388 | data | 6.39361655287636 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1248 | 0x1400 | 421f9404c16c75fa4bc7d37da19b3076 | False | 0.4287109375 | data | 5.044261339836676 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x1a838 | 0x400 | c93d53142ea782e156ddc6acebdf883d | False | 0.6455078125 | data | 5.223134318413766 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x25000 | 0x1c000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x41000 | 0x5aa38 | 0x5ac00 | 36138a89abeb35667330457e2be0a675 | False | 0.3329620781680441 | data | 5.566457386793811 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x41478 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 0 | English | United States | 0.21799641980057402 |
| RT_ICON | 0x834a0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States | 0.6193806932450018 |
| RT_ICON | 0x93cc8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.6783195020746888 |
| RT_ICON | 0x96270 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.7033302063789869 |
| RT_ICON | 0x97318 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | United States | 0.7731876332622601 |
| RT_ICON | 0x981c0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States | 0.7274590163934426 |
| RT_ICON | 0x98b48 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | United States | 0.8285198555956679 |
| RT_ICON | 0x993f0 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | English | United States | 0.8323732718894009 |
| RT_ICON | 0x99ab8 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | English | United States | 0.5115853658536585 |
| RT_ICON | 0x9a120 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | United States | 0.6777456647398844 |
| RT_ICON | 0x9a688 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.7854609929078015 |
| RT_ICON | 0x9aaf0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | United States | 0.553763440860215 |
| RT_ICON | 0x9add8 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 0 | English | United States | 0.6065573770491803 |
| RT_ICON | 0x9afc0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | United States | 0.6587837837837838 |
| RT_DIALOG | 0x9b0e8 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x9b1e8 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x9b308 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x9b3d0 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x9b430 | 0xca | data | English | United States | 0.5792079207920792 |
| RT_VERSION | 0x9b500 | 0x1f4 | data | English | United States | 0.518 |
| RT_MANIFEST | 0x9b6f8 | 0x340 | XML 1.0 document, ASCII text, with very long lines (832), with no line terminators | English | United States | 0.5540865384615384 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetCurrentDirectoryA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA |
| USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA |
| ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 3, 2024 14:02:44.627262115 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:44.848557949 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:44.848853111 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:44.849066019 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.071357012 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.071486950 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.071501970 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.071516037 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.071526051 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.071543932 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.071645975 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.071645975 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.297693968 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297709942 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297821045 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297835112 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297848940 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297861099 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297872066 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297883034 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297892094 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.297955990 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.297955990 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.298099041 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519021988 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519037008 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519118071 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519133091 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519145012 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519159079 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519170046 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519181013 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519191980 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519202948 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519244909 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519244909 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519244909 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519330978 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519332886 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519334078 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519345999 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519345999 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519345999 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519345999 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519345999 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519345999 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519345999 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519536018 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519537926 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519539118 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.519550085 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519589901 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.519694090 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.741504908 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741519928 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741534948 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741547108 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741767883 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.741822004 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741837978 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741852999 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741879940 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741893053 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741904974 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741920948 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741939068 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.741950989 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742012024 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742013931 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742014885 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742016077 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742016077 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742017984 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742018938 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742018938 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742080927 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742094040 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742142916 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742142916 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742182016 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742202997 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742202997 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742202997 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742203951 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742204905 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742206097 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742207050 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742208004 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742208004 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742208958 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742209911 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742211103 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742212057 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.742310047 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742310047 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742357969 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742407084 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742407084 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742455959 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.742553949 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.963105917 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963244915 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963260889 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963273048 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963284016 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963295937 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963308096 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963320017 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963330984 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963342905 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963354111 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963366032 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963375092 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963397980 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.963485956 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.963485956 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.963593960 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963610888 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963651896 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963704109 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963713884 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.963716984 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963730097 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963742971 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963756084 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963768959 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963783979 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963797092 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963803053 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.963809967 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963821888 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963834047 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963846922 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963846922 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.963860035 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963872910 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963885069 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963897943 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963910103 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963912010 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.963963985 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963965893 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963967085 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963968039 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963975906 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.963989973 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964003086 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964015007 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964027882 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964030027 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964030027 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964042902 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964062929 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964076996 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964090109 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964102983 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964114904 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964126110 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964128017 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964140892 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964153051 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964167118 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964193106 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964205980 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964216948 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964216948 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964221954 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964234114 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964245081 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964257002 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964268923 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964314938 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964327097 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964335918 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:45.964346886 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964346886 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964368105 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964368105 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964442015 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964442015 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:45.964570045 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.184523106 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184572935 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184612989 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184643030 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184679031 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184705973 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184720993 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.184732914 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184760094 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184787035 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184814930 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184847116 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184874058 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184885979 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.184900999 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184916973 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.184917927 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.184927940 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.184948921 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.185015917 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.185074091 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.185153961 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.185251951 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.185288906 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.185317039 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.185350895 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.185372114 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.185373068 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.185455084 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.185455084 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.185539961 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186070919 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186101913 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186129093 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186156988 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186184883 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186230898 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186244011 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186280012 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186306953 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186321020 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186346054 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186372995 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186399937 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186425924 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186454058 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186467886 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186491966 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186520100 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186547041 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186573982 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186579943 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186609983 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186633110 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186647892 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186675072 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186697960 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186712027 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186738968 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186749935 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186749935 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186780930 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186811924 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186837912 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186865091 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186880112 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186880112 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186907053 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186928034 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.186943054 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186970949 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.186976910 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187006950 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187026978 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187045097 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187072039 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187077045 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187108994 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187139988 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187166929 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187179089 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187179089 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187208891 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187238932 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187266111 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187278032 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187278032 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187330961 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187335014 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187371016 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187401056 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187423944 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187423944 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187441111 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187469006 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187496901 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187521935 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187521935 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187536955 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187565088 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187570095 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187601089 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187619925 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187638998 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187665939 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187689066 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187716007 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187741995 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187768936 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187796116 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187802076 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187828064 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:02:46.187868118 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.187947035 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:46.188102007 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:02:47.930686951 CEST | 49843 | 80 | 192.168.11.30 | 208.95.112.1 |
| Jul 3, 2024 14:02:48.066569090 CEST | 80 | 49843 | 208.95.112.1 | 192.168.11.30 |
| Jul 3, 2024 14:02:48.066987038 CEST | 49843 | 80 | 192.168.11.30 | 208.95.112.1 |
| Jul 3, 2024 14:02:48.067605019 CEST | 49843 | 80 | 192.168.11.30 | 208.95.112.1 |
| Jul 3, 2024 14:02:48.201086998 CEST | 80 | 49843 | 208.95.112.1 | 192.168.11.30 |
| Jul 3, 2024 14:02:48.247817039 CEST | 49843 | 80 | 192.168.11.30 | 208.95.112.1 |
| Jul 3, 2024 14:03:20.657516956 CEST | 80 | 49843 | 208.95.112.1 | 192.168.11.30 |
| Jul 3, 2024 14:03:20.657737970 CEST | 49843 | 80 | 192.168.11.30 | 208.95.112.1 |
| Jul 3, 2024 14:03:32.442104101 CEST | 80 | 49843 | 208.95.112.1 | 192.168.11.30 |
| Jul 3, 2024 14:04:34.614667892 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Jul 3, 2024 14:04:34.836252928 CEST | 80 | 49842 | 185.222.58.113 | 192.168.11.30 |
| Jul 3, 2024 14:04:34.836548090 CEST | 49842 | 80 | 192.168.11.30 | 185.222.58.113 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 3, 2024 14:02:47.804864883 CEST | 56750 | 53 | 192.168.11.30 | 1.1.1.1 |
| Jul 3, 2024 14:02:47.924290895 CEST | 53 | 56750 | 1.1.1.1 | 192.168.11.30 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 3, 2024 14:02:47.804864883 CEST | 192.168.11.30 | 1.1.1.1 | 0x9bce | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 3, 2024 14:02:47.924290895 CEST | 1.1.1.1 | 192.168.11.30 | 0x9bce | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.11.30 | 49842 | 185.222.58.113 | 80 | 9536 | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 3, 2024 14:02:44.849066019 CEST | 171 | OUT | |
| Jul 3, 2024 14:02:45.071357012 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.071486950 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.071501970 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.071516037 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.297693968 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.297709942 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.297821045 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.297835112 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.297848940 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.297861099 CEST | 1289 | IN | |
| Jul 3, 2024 14:02:45.297872066 CEST | 1289 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.11.30 | 49843 | 208.95.112.1 | 80 | 9536 | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 3, 2024 14:02:48.067605019 CEST | 80 | OUT | |
| Jul 3, 2024 14:02:48.201086998 CEST | 174 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 5 |
| Start time: | 08:02:13 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 864'817 bytes |
| MD5 hash: | 12B29055A6B47A95B2FE8BCD19859C70 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 08:02:29 |
| Start date: | 03/07/2024 |
| Path: | C:\Users\user\Desktop\1ppvR5VRT6.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 864'817 bytes |
| MD5 hash: | 12B29055A6B47A95B2FE8BCD19859C70 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 23.9% |
| Dynamic/Decrypted Code Coverage: | 13.8% |
| Signature Coverage: | 20.2% |
| Total number of Nodes: | 1519 |
| Total number of Limit Nodes: | 50 |
Graph
Function 0040330D Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368stringcomfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038E9 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D98 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004060BB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406576 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402245 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100027E4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040303E Relevance: 3.1, APIs: 2, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C32 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405703 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022F6 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CD9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002709 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040233A Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004041A6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040577B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032C5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040418F Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040417C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045CA Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042A3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100021FA Relevance: 9.1, APIs: 6, Instructions: 137memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001688F8 Relevance: 2.8, Instructions: 2829COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001689B0 Relevance: 2.4, Instructions: 2415COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016BB68 Relevance: 2.3, Instructions: 2309COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E2120 Relevance: 2.1, Strings: 1, Instructions: 816COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016EF70 Relevance: 1.8, Strings: 1, Instructions: 545COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001638F8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E80F8 Relevance: .6, Instructions: 636COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E38C8 Relevance: .5, Instructions: 474COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00164910 Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016E259 Relevance: 4.8, Strings: 3, Instructions: 1013COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001662C8 Relevance: 3.1, Strings: 2, Instructions: 558COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E6C38 Relevance: 2.9, Strings: 2, Instructions: 390COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E0CFD Relevance: 2.7, Strings: 2, Instructions: 185COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E04C4 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001638ED Relevance: 1.5, Strings: 1, Instructions: 235COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E8EB0 Relevance: .8, Instructions: 794COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E75B8 Relevance: .5, Instructions: 472COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00168140 Relevance: .4, Instructions: 368COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001684A8 Relevance: .4, Instructions: 354COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E7191 Relevance: .3, Instructions: 307COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161168 Relevance: .3, Instructions: 297COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E75B6 Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00164905 Relevance: .3, Instructions: 262COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016812C Relevance: .2, Instructions: 241COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E4CA8 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E0039 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E0040 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E1720 Relevance: .2, Instructions: 212COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00165080 Relevance: .2, Instructions: 184COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E4C99 Relevance: .2, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E15B8 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E9A26 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016E0CD Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00165C68 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00165C88 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00162154 Relevance: .1, Instructions: 96COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016DF90 Relevance: .1, Instructions: 96COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00167FF8 Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016DFA0 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00162160 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00164F10 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00164F20 Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016F9B0 Relevance: .1, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00168028 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016F9C0 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161520 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00167B10 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00164E02 Relevance: .1, Instructions: 73COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001616F8 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD01C Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00167B20 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161708 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161530 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00164E10 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E2850 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00160839 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00167DF0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD006 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00160848 Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161480 Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016FAD0 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161640 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016FD08 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00167E04 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390EACF8 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00161490 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016F788 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016FAC0 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0016FD18 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390EAD08 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00168658 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001653E1 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E5E80 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E6E88 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E3E47 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390E0BE9 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040330D Relevance: 79.1, APIs: 33, Strings: 12, Instructions: 368stringcomfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405861 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038E9 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042A3 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045CA Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 274stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D98 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004060BB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405686 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 390EAD8F Relevance: 5.2, Strings: 4, Instructions: 203COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406576 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|