Edit tour
Windows
Analysis Report
qeUaxJCA3FO.exe
Overview
General Information
| Sample name: | qeUaxJCA3FO.exe |
| Analysis ID: | 1467846 |
| MD5: | efc76b9581da08661c9c91c2a6e7d289 |
| SHA1: | ef7674fe136d80308a44d99ac72b8be550604110 |
| SHA256: | 85356bb669ec17503e48ca457e99347f5386ba644fba9d638d4188a7b4970153 |
| Tags: | exelumma |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
qeUaxJCA3FO.exe (PID: 7528 cmdline: "C:\Users\ user\Deskt op\qeUaxJC A3FO.exe" MD5: EFC76B9581DA08661C9C91C2A6E7D289) - RegAsm.exe (PID: 7552 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 7560 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) 
WerFault.exe (PID: 7640 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 528 -s 304 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["benchillppwo.shop", "publicitttyps.shop", "answerrsdo.shop", "radiationnopp.shop", "affecthorsedpo.shop", "bargainnykwo.shop", "bannngwko.shop", "bouncedgowp.shop", "bitchsafettyudjwu.shop"], "Build id": "LPnhqo--@SEFYALUV"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_00416448 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FAF7AE | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 2_2_00427964 | |
| Source: | Code function: | 2_2_004209C0 | |
| Source: | Code function: | 2_2_004209C0 | |
| Source: | Code function: | 2_2_004171F0 | |
| Source: | Code function: | 2_2_0040A2D0 | |
| Source: | Code function: | 2_2_00416448 | |
| Source: | Code function: | 2_2_00416448 | |
| Source: | Code function: | 2_2_00416448 | |
| Source: | Code function: | 2_2_00418D70 | |
| Source: | Code function: | 2_2_004165AF | |
| Source: | Code function: | 2_2_004165AF | |
| Source: | Code function: | 2_2_0041AE00 | |
| Source: | Code function: | 2_2_00415ED0 | |
| Source: | Code function: | 2_2_00439800 | |
| Source: | Code function: | 2_2_00439800 | |
| Source: | Code function: | 2_2_0041F836 | |
| Source: | Code function: | 2_2_0041F836 | |
| Source: | Code function: | 2_2_004390D0 | |
| Source: | Code function: | 2_2_004390D0 | |
| Source: | Code function: | 2_2_00413880 | |
| Source: | Code function: | 2_2_00414166 | |
| Source: | Code function: | 2_2_0041393C | |
| Source: | Code function: | 2_2_004039F0 | |
| Source: | Code function: | 2_2_0041F9F6 | |
| Source: | Code function: | 2_2_0042118E | |
| Source: | Code function: | 2_2_004159A0 | |
| Source: | Code function: | 2_2_00428A46 | |
| Source: | Code function: | 2_2_004282C0 | |
| Source: | Code function: | 2_2_0041D2D4 | |
| Source: | Code function: | 2_2_0041D2D4 | |
| Source: | Code function: | 2_2_004182FE | |
| Source: | Code function: | 2_2_004182FE | |
| Source: | Code function: | 2_2_00423AAF | |
| Source: | Code function: | 2_2_00403BB0 | |
| Source: | Code function: | 2_2_004253B0 | |
| Source: | Code function: | 2_2_00439BB0 | |
| Source: | Code function: | 2_2_00433462 | |
| Source: | Code function: | 2_2_00425C76 | |
| Source: | Code function: | 2_2_004154D3 | |
| Source: | Code function: | 2_2_004274ED | |
| Source: | Code function: | 2_2_0040E4F0 | |
| Source: | Code function: | 2_2_00435540 | |
| Source: | Code function: | 2_2_00427510 | |
| Source: | Code function: | 2_2_00426DC3 | |
| Source: | Code function: | 2_2_004165C4 | |
| Source: | Code function: | 2_2_00416DB9 | |
| Source: | Code function: | 2_2_00402E70 | |
| Source: | Code function: | 2_2_00422E10 | |
| Source: | Code function: | 2_2_004306E0 | |
| Source: | Code function: | 2_2_004396B0 | |
| Source: | Code function: | 2_2_00417742 | |
| Source: | Code function: | 2_2_0041FF50 | |
| Source: | Code function: | 2_2_0041FF50 | |
| Source: | Code function: | 2_2_004087E0 | |
| Source: | Code function: | 2_2_00413FA2 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_0042E680 | |
| Source: | Code function: | 2_2_0042E680 | |
| Source: | Code function: | 2_2_0042E850 | |
| Source: | Code function: | 0_2_00F92880 | |
| Source: | Code function: | 0_2_00FAB11C | |
| Source: | Code function: | 0_2_00FA125C | |
| Source: | Code function: | 0_2_00F93320 | |
| Source: | Code function: | 0_2_00FA15A4 | |
| Source: | Code function: | 0_2_00FA9D96 | |
| Source: | Code function: | 0_2_00FA5570 | |
| Source: | Code function: | 0_2_00FB36B5 | |
| Source: | Code function: | 2_2_004209C0 | |
| Source: | Code function: | 2_2_00417266 | |
| Source: | Code function: | 2_2_00405350 | |
| Source: | Code function: | 2_2_00416448 | |
| Source: | Code function: | 2_2_00421510 | |
| Source: | Code function: | 2_2_0040F850 | |
| Source: | Code function: | 2_2_00439800 | |
| Source: | Code function: | 2_2_00428008 | |
| Source: | Code function: | 2_2_004390D0 | |
| Source: | Code function: | 2_2_004248E9 | |
| Source: | Code function: | 2_2_00401972 | |
| Source: | Code function: | 2_2_00404930 | |
| Source: | Code function: | 2_2_004329F0 | |
| Source: | Code function: | 2_2_0041F9F6 | |
| Source: | Code function: | 2_2_00407180 | |
| Source: | Code function: | 2_2_0043B1A0 | |
| Source: | Code function: | 2_2_00435B30 | |
| Source: | Code function: | 2_2_00406BB0 | |
| Source: | Code function: | 2_2_00439BB0 | |
| Source: | Code function: | 2_2_00401C7A | |
| Source: | Code function: | 2_2_0043B4C0 | |
| Source: | Code function: | 2_2_004234CC | |
| Source: | Code function: | 2_2_004364E0 | |
| Source: | Code function: | 2_2_00401D00 | |
| Source: | Code function: | 2_2_00425650 | |
| Source: | Code function: | 2_2_00422E10 | |
| Source: | Code function: | 2_2_00403EF0 | |
| Source: | Code function: | 2_2_004396B0 | |
| Source: | Code function: | 2_2_00401F60 | |
| Source: | Code function: | 2_2_004087E0 | |
| Source: | Code function: | 2_2_0041D7F1 | |
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_0042D116 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00F9B29B | |
| Source: | Code function: | 2_2_00440A56 | |
| Source: | Code function: | 2_2_004413C5 | |
| Source: | Code function: | 2_2_00440749 | |
| Source: | Code function: | 2_2_00440749 | |
| Source: | Code function: | 2_2_00440749 | |
| Source: | Code function: | 2_2_00440749 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00FAF7AE | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00437520 | |
| Source: | Code function: | 0_2_00FA2C23 | |
| Source: | Code function: | 0_2_00FA9B12 | |
| Source: | Code function: | 0_2_00FA69CE | |
| Source: | Code function: | 0_2_00FA9B56 | |
| Source: | Code function: | 0_2_00FB2E46 | |
| Source: | Code function: | 0_2_00F9B905 | |
| Source: | Code function: | 0_2_00FA2C23 | |
| Source: | Code function: | 0_2_00F9B69A | |
| Source: | Code function: | 0_2_00F9B7F6 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_0287018D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00F9B380 | |
| Source: | Code function: | 0_2_00FB28E6 | |
| Source: | Code function: | 0_2_00FA89E6 | |
| Source: | Code function: | 0_2_00FB2280 | |
| Source: | Code function: | 0_2_00FB2A0F | |
| Source: | Code function: | 0_2_00FB2BE4 | |
| Source: | Code function: | 0_2_00FB2B15 | |
| Source: | Code function: | 0_2_00FB247B | |
| Source: | Code function: | 0_2_00FB256D | |
| Source: | Code function: | 0_2_00FB2522 | |
| Source: | Code function: | 0_2_00FB2693 | |
| Source: | Code function: | 0_2_00FB2608 | |
| Source: | Code function: | 0_2_00FA8F4C | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00F9B594 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 411 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 411 Process Injection | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 3 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 58% | ReversingLabs | Win32.Trojan.Zusy | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bitchsafettyudjwu.shop | 104.21.27.50 | true | true | unknown | |
| 206.23.85.13.in-addr.arpa | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.27.50 | bitchsafettyudjwu.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1467846 |
| Start date and time: | 2024-07-04 21:48:07 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 30s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | qeUaxJCA3FO.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/5@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92
- Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: qeUaxJCA3FO.exe
| Time | Type | Description |
|---|---|---|
| 15:48:56 | API Interceptor | |
| 15:49:06 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC, SmokeLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, PureLog Stealer, RisePro Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Amadey, Mars Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, PureLog Stealer, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qeUaxJCA3FO.exe_26ced5a8273fce98aa9021c21fb0fef74efa7d5c_dc1fb231_c6be8ca1-2306-40fb-9124-95b6fa544bbf\Report.wer 
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.7160322192643771 |
| Encrypted: | false |
| SSDEEP: | 96:LsFp3ecT/sqshqgqm7qVftQXIDcQwc6SfcEAcw3VEa+HbHg/8BRTf3Oy1H3a9/Zj:Yp/JlA0+gKijuGzuiFuZ24IO83xo |
| MD5: | 27D1ECA27844F6AFCFED7CFEC7322DF3 |
| SHA1: | 497C38D51ED5506DE7339B3B970E5AE54398FD7A |
| SHA-256: | D463A866CC99FF84840B365F35EAA78AC38D859A0929427B038C49ED38D9F143 |
| SHA-512: | 536D3418FAE472CFADF7E1F9460E23C4EC3437E3C6F8AEF2C6EA6C7A00C7E1553618FCA2DD1180835113219BA8389E622A5FB7BFBCE961836788949CF38A141A |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55908 |
| Entropy (8bit): | 1.698977719838576 |
| Encrypted: | false |
| SSDEEP: | 192:870yjOtOQtmRUShYN8gldDBLRNecuLc864LV8FV:6jaUQtm6sYN8gDBLRNeTt64ef |
| MD5: | D022212E1272878B9B66F375B9EE7E90 |
| SHA1: | A161D8ED910E69CAAE7A6252DDB6848C8BDEBABD |
| SHA-256: | EEA89588B4BA65BEEACC3BF5B8B3624C50A8CF3345D78334D885EB2206382357 |
| SHA-512: | AC1B2627B5FB3331E9F64E99D57B24E305B8A86771D3982C19F3D8B49548F69D5B9D8986A4FB620CE6087F5AA45FE12727196863C41D8E071B4916BE8218072F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8302 |
| Entropy (8bit): | 3.701008219726407 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJbl6M6Y9hSUsDbWggmfUhmpDy89bgzsf3gm:R6lXJJ6M6YLSUsDbpgmfUWgYfV |
| MD5: | FF81155B9A71E57EAAE6B9EB8775AA17 |
| SHA1: | 52329AC3D957580BABBE9A610A98F3E03BA2C9F1 |
| SHA-256: | AEF48E5BE103E124F69E58AA4DEF3D3E1473636597B643F7EA11E099114C2A98 |
| SHA-512: | A2B8D5A0982DD771C89251425F2229EE7EB16BDE1E630DA0FA5EDE6D373F9C1441D378FEBE0934564A69567A7FE5A660A4975594DFF153086ACBB4E45E00AA87 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4586 |
| Entropy (8bit): | 4.482762197207333 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zs4Jg77aI9LQWpW8VY2dYm8M4JSFLFBLFFFfQv+q8fF9FCwRyRKjFU8ci:uIjf+I7Jp7VmJSxfEiv3RyIj+d+dd |
| MD5: | 7BDA248AC10989C6D2F7077E73AA123E |
| SHA1: | 0AD2E93150A29AC51188D6236779745CA7DCE7C3 |
| SHA-256: | B86A31A5F7FD7119615B2BD776A4AFC2D420A1478EF391B779A3B9D737996580 |
| SHA-512: | BEBDE725A84E8EF9A6BF06E3D21AFF6079A1C538E60C2532B3249F192430B951B9553456FD944EF0A332D09E458FCB11D47CA8C0204AC32ECA9F3142D24BB8FF |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.46547603640039 |
| Encrypted: | false |
| SSDEEP: | 6144:vIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN+dwBCswSbA:AXD94+WlLZMM6YFHg+A |
| MD5: | 78736CA7460022345B8E2A98981FDEEC |
| SHA1: | 31BBCADA24EDB0364A8A48E0B521C7D7469D4A1B |
| SHA-256: | 177F86BB2FE62564451D7F016F0760AAA7D707481F0DCD4425A3DE99D4B74DC2 |
| SHA-512: | A8A3FCDF30AACE1255D90B78347860813C9A323447266D030688ED9DA4E32666DFC1BD98CE90CF7474684DF3C14FFB9E0228102238D4DE6CF9AA3608DDE91162 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.6320128013011015 |
| TrID: |
|
| File name: | qeUaxJCA3FO.exe |
| File size: | 530'432 bytes |
| MD5: | efc76b9581da08661c9c91c2a6e7d289 |
| SHA1: | ef7674fe136d80308a44d99ac72b8be550604110 |
| SHA256: | 85356bb669ec17503e48ca457e99347f5386ba644fba9d638d4188a7b4970153 |
| SHA512: | b2d3432b68b227a5ad64faf6cc789f32ab2234a070c25393849c3d170616a125c1c3c82e18a7952b3ddd3a0024ff845c67aa67ce9b011b9cd9b74e093fc4e5d1 |
| SSDEEP: | 12288:MnUGt+HbHe5BjPORtvLP9qpbY7/2E1yItd2ybSLxWP1yh:Mnncbs1PODZqpBCSiS8Pg |
| TLSH: | 68B4F10175C18472E573113706E5DBB69A3EB9300B616ECB6B841F7FCF602C29B3669A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.kxb.kxb.kxbj.{c.kxbj.}c.kxbj.|c.kxb{.|c.kxb{.{c.kxbj.yc.kxb.kyb8kxb{.}c.kxbJ.qc.kxbJ.xc.kxbJ..b.kxbJ.zc.kxbRich.kxb....... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x40afb9 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66869C92 [Thu Jul 4 12:58:58 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 811cfc8e0687b9bcab4d19d1ac4a7df0 |
| Instruction |
|---|
| call 00007F4860B5CFA8h |
| jmp 00007F4860B5C7F9h |
| cmp ecx, dword ptr [00435040h] |
| jne 00007F4860B5C983h |
| ret |
| jmp 00007F4860B5D2E1h |
| jmp 00007F4860B5D4B1h |
| push ebp |
| mov ebp, esp |
| jmp 00007F4860B5C98Fh |
| push dword ptr [ebp+08h] |
| call 00007F4860B69C66h |
| pop ecx |
| test eax, eax |
| je 00007F4860B5C991h |
| push dword ptr [ebp+08h] |
| call 00007F4860B65E97h |
| pop ecx |
| test eax, eax |
| je 00007F4860B5C968h |
| pop ebp |
| ret |
| cmp dword ptr [ebp+08h], FFFFFFFFh |
| je 00007F4860B5D48Ch |
| jmp 00007F4860B594A4h |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007F4860B5D476h |
| pop ecx |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| test byte ptr [ebp+08h], 00000001h |
| push esi |
| mov esi, ecx |
| mov dword ptr [esi], 0042B35Ch |
| je 00007F4860B5C98Ch |
| push 0000000Ch |
| push esi |
| call 00007F4860B5C95Dh |
| pop ecx |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| movzx eax, word ptr [ecx+14h] |
| lea edx, dword ptr [ecx+18h] |
| add edx, eax |
| movzx eax, word ptr [ecx+06h] |
| imul esi, eax, 28h |
| add esi, edx |
| cmp edx, esi |
| je 00007F4860B5C99Bh |
| mov ecx, dword ptr [ebp+0Ch] |
| cmp ecx, dword ptr [edx+0Ch] |
| jc 00007F4860B5C98Ch |
| mov eax, dword ptr [edx+08h] |
| add eax, dword ptr [edx+0Ch] |
| cmp ecx, eax |
| jc 00007F4860B5C98Eh |
| add edx, 28h |
| cmp edx, esi |
| jne 00007F4860B5C96Ch |
| xor eax, eax |
| pop esi |
| pop ebp |
| ret |
| mov eax, edx |
| jmp 00007F4860B5C97Bh |
| push esi |
| call 00007F4860B5D428h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x34160 | 0x48 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x341a8 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x82000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x83000 | 0x1f9c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x31fc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x31f00 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2a000 | 0x164 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x27817 | 0x27a00 | 60a0db05ce4e38dd78d4dabbb8745b56 | False | 0.5494935429810726 | data | 6.643882671099797 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .BSS | 0x29000 | 0xdfd | 0xe00 | e44939ff194ea63962967f5df0ecf385 | False | 0.642578125 | data | 6.40519127535927 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2a000 | 0xa9c2 | 0xaa00 | ac1aa776148644c596d3677f95f632bf | False | 0.4309972426470588 | data | 4.960157816836582 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x35000 | 0x4cfa4 | 0x4c000 | ae2881be7a656d98fd734520914fbc5d | False | 0.9867810701069079 | data | 7.989334474529715 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x82000 | 0x1e0 | 0x200 | c35d66eb0330df7b21d6f51c26172ee0 | False | 0.52734375 | data | 4.704363013479242 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x83000 | 0x1f9c | 0x2000 | 8fb1a23c8dee9bb28d69986333c65fb8 | False | 0.7489013671875 | data | 6.521174734170063 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x82060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| USER32.dll | OffsetRect, GetUpdateRgn |
| KERNEL32.dll | CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, VirtualAlloc, WaitForSingleObject, CreateThread, GetThreadId, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, GetCurrentThreadId, CloseHandle, WaitForSingleObjectEx, GetExitCodeThread, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, ReleaseSRWLockExclusive, WakeAllConditionVariable, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, FreeEnvironmentStringsW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, WriteConsoleW |
| Name | Ordinal | Address |
|---|---|---|
| AwakeSound | 1 | 0x429c70 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 4, 2024 21:48:55.299067974 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:55.299104929 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:55.299173117 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:55.302306890 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:55.302316904 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:55.806049109 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:55.806117058 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:55.814004898 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:55.814013958 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:55.814394951 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:55.867760897 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:55.875117064 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:55.875138044 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:55.875258923 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:56.541209936 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:56.541322947 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:56.541368961 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:56.543469906 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:56.543487072 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:56.543524027 CEST | 49730 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:56.543529987 CEST | 443 | 49730 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:56.546849966 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:56.546870947 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:56.546936035 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:56.547553062 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:56.547561884 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.029202938 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.029278994 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.030998945 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.031006098 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.031254053 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.032401085 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.032421112 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.032469988 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.527528048 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.527587891 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.527618885 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.527653933 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.527719021 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.527740002 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.527749062 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.527920961 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.527961969 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.527970076 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.527981997 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.528021097 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.528023005 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.528037071 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.528084993 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.528090954 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532202959 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532255888 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.532258034 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532272100 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532313108 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.532485962 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532563925 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532596111 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532605886 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.532620907 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532685041 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.532686949 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532737017 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.532849073 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.532862902 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.532876015 CEST | 49732 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.532881975 CEST | 443 | 49732 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.573395967 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.573427916 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:57.573517084 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.573837042 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:57.573844910 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.049772978 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.049868107 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.051124096 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.051130056 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.051347971 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.058393955 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.058549881 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.058572054 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.058634996 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.058643103 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.550507069 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.550601959 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.550774097 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.550925016 CEST | 49734 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.550940037 CEST | 443 | 49734 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.571229935 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.571269989 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:58.571412086 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.571758986 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:58.571767092 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.042278051 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.042372942 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.043816090 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.043822050 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.044049025 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.045274973 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.045408010 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.045427084 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.505090952 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.505194902 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.505314112 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.505625010 CEST | 49737 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.505640030 CEST | 443 | 49737 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.595763922 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.595804930 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:48:59.595901012 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.596349001 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:48:59.596362114 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.076571941 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.076641083 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.077991962 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.078006983 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.078244925 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.086294889 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.086467981 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.086504936 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.086569071 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.086581945 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.622426987 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.622517109 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.622586012 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.622673035 CEST | 49739 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.622684956 CEST | 443 | 49739 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.720819950 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.720849037 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:00.721019030 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.721307039 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:00.721316099 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.202503920 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.202636003 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.204106092 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.204113007 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.204360008 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.214482069 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.214601040 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.214637041 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.593481064 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.593574047 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.593628883 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.593806028 CEST | 49741 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.593817949 CEST | 443 | 49741 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.819303036 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.819343090 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:01.819403887 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.819725990 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:01.819737911 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:02.312637091 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:02.312818050 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:02.313865900 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:02.313873053 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:02.314101934 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:02.315193892 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:02.315284014 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:02.315290928 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:03.467730045 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:03.467855930 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:03.467910051 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:03.468022108 CEST | 49743 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:03.468036890 CEST | 443 | 49743 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:03.809130907 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:03.809170008 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:03.809250116 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:03.809614897 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:03.809632063 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.295015097 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.295101881 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.296324015 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.296334028 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.296641111 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.297826052 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.298618078 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.298654079 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.298754930 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.298815012 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.298943043 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.298978090 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.299125910 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.299154043 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.299309015 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.299344063 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.299541950 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.299571037 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.299585104 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.299603939 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.299752951 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.299781084 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.299806118 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.299951077 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.299981117 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.308917999 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.309132099 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.309161901 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.309190989 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.309206009 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:04.309247971 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:04.313684940 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.046963930 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.047055960 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.047120094 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.047276974 CEST | 49746 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.047292948 CEST | 443 | 49746 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.049734116 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.049777985 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.049864054 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.050462961 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.050473928 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.530997038 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.531086922 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.532799959 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.532810926 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.533041954 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.534487963 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.534513950 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.534554005 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.956258059 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.956358910 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.956422091 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.956666946 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.956681967 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Jul 4, 2024 21:49:07.956712961 CEST | 49749 | 443 | 192.168.2.4 | 104.21.27.50 |
| Jul 4, 2024 21:49:07.956717014 CEST | 443 | 49749 | 104.21.27.50 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 4, 2024 21:48:55.279320002 CEST | 52454 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 4, 2024 21:48:55.295074940 CEST | 53 | 52454 | 1.1.1.1 | 192.168.2.4 |
| Jul 4, 2024 21:49:27.735131979 CEST | 53 | 50150 | 162.159.36.2 | 192.168.2.4 |
| Jul 4, 2024 21:49:28.220741034 CEST | 53747 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 4, 2024 21:49:28.230101109 CEST | 53 | 53747 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 4, 2024 21:48:55.279320002 CEST | 192.168.2.4 | 1.1.1.1 | 0xb772 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jul 4, 2024 21:49:28.220741034 CEST | 192.168.2.4 | 1.1.1.1 | 0x8538 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 4, 2024 21:48:55.295074940 CEST | 1.1.1.1 | 192.168.2.4 | 0xb772 | No error (0) | 104.21.27.50 | A (IP address) | IN (0x0001) | false | ||
| Jul 4, 2024 21:48:55.295074940 CEST | 1.1.1.1 | 192.168.2.4 | 0xb772 | No error (0) | 172.67.168.236 | A (IP address) | IN (0x0001) | false | ||
| Jul 4, 2024 21:49:28.230101109 CEST | 1.1.1.1 | 192.168.2.4 | 0x8538 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:48:55 UTC | 269 | OUT | |
| 2024-07-04 19:48:55 UTC | 8 | OUT | |
| 2024-07-04 19:48:56 UTC | 810 | IN | |
| 2024-07-04 19:48:56 UTC | 7 | IN | |
| 2024-07-04 19:48:56 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49732 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:48:57 UTC | 270 | OUT | |
| 2024-07-04 19:48:57 UTC | 51 | OUT | |
| 2024-07-04 19:48:57 UTC | 812 | IN | |
| 2024-07-04 19:48:57 UTC | 557 | IN | |
| 2024-07-04 19:48:57 UTC | 1369 | IN | |
| 2024-07-04 19:48:57 UTC | 1369 | IN | |
| 2024-07-04 19:48:57 UTC | 1369 | IN | |
| 2024-07-04 19:48:57 UTC | 1369 | IN | |
| 2024-07-04 19:48:57 UTC | 1369 | IN | |
| 2024-07-04 19:48:57 UTC | 575 | IN | |
| 2024-07-04 19:48:57 UTC | 1369 | IN | |
| 2024-07-04 19:48:57 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49734 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:48:58 UTC | 288 | OUT | |
| 2024-07-04 19:48:58 UTC | 15331 | OUT | |
| 2024-07-04 19:48:58 UTC | 2836 | OUT | |
| 2024-07-04 19:48:58 UTC | 802 | IN | |
| 2024-07-04 19:48:58 UTC | 19 | IN | |
| 2024-07-04 19:48:58 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49737 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:48:59 UTC | 287 | OUT | |
| 2024-07-04 19:48:59 UTC | 8788 | OUT | |
| 2024-07-04 19:48:59 UTC | 804 | IN | |
| 2024-07-04 19:48:59 UTC | 19 | IN | |
| 2024-07-04 19:48:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49739 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:49:00 UTC | 288 | OUT | |
| 2024-07-04 19:49:00 UTC | 15331 | OUT | |
| 2024-07-04 19:49:00 UTC | 5110 | OUT | |
| 2024-07-04 19:49:00 UTC | 814 | IN | |
| 2024-07-04 19:49:00 UTC | 19 | IN | |
| 2024-07-04 19:49:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:49:01 UTC | 287 | OUT | |
| 2024-07-04 19:49:01 UTC | 5442 | OUT | |
| 2024-07-04 19:49:01 UTC | 804 | IN | |
| 2024-07-04 19:49:01 UTC | 19 | IN | |
| 2024-07-04 19:49:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49743 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:49:02 UTC | 287 | OUT | |
| 2024-07-04 19:49:02 UTC | 1286 | OUT | |
| 2024-07-04 19:49:03 UTC | 802 | IN | |
| 2024-07-04 19:49:03 UTC | 19 | IN | |
| 2024-07-04 19:49:03 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49746 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:49:04 UTC | 289 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:04 UTC | 15331 | OUT | |
| 2024-07-04 19:49:07 UTC | 814 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49749 | 104.21.27.50 | 443 | 7560 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-04 19:49:07 UTC | 270 | OUT | |
| 2024-07-04 19:49:07 UTC | 86 | OUT | |
| 2024-07-04 19:49:07 UTC | 800 | IN | |
| 2024-07-04 19:49:07 UTC | 54 | IN | |
| 2024-07-04 19:49:07 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 15:48:53 |
| Start date: | 04/07/2024 |
| Path: | C:\Users\user\Desktop\qeUaxJCA3FO.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf90000 |
| File size: | 530'432 bytes |
| MD5 hash: | EFC76B9581DA08661C9C91C2A6E7D289 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 15:48:54 |
| Start date: | 04/07/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x180000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 15:48:54 |
| Start date: | 04/07/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf60000 |
| File size: | 65'440 bytes |
| MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 15:48:54 |
| Start date: | 04/07/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 2.8% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 3.2% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 19 |
Graph
Function 0287018D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA9B12 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB9C80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA8BAF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB9B20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93memorysynchronizationthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9F7DC Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9F680 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA9B87 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB2A0F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB2280 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA9D96 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FAF7AE Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9B69A Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB2693 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA5570 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F92880 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F93320 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9B380 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA15A4 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB28E6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA125C Relevance: 1.6, Strings: 1, Instructions: 314COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB2B15 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB247B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9B7F6 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB2E46 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA9B56 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA69CE Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9AD2D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9E508 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FADBF7 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB68FA Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9AB11 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F96100 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F95A60 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA69F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FAECA2 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F97BDC Relevance: 7.6, APIs: 5, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9930F Relevance: 7.6, APIs: 5, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F92230 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9F2E2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FAF4BA Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FA5DCA Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FB0450 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F92160 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F9E8AD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F919B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 15.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 27.7% |
| Total number of Nodes: | 296 |
| Total number of Limit Nodes: | 17 |
Graph
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417742 Relevance: 9.3, Strings: 7, Instructions: 567COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A2D0 Relevance: 9.2, Strings: 7, Instructions: 476COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004209C0 Relevance: 4.4, Strings: 3, Instructions: 688COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416DB9 Relevance: 4.2, Strings: 3, Instructions: 402COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418D70 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AE00 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004171F0 Relevance: .4, Instructions: 363COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415ED0 Relevance: .3, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004165AF Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D116 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA9A Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 84memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A9C0 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 808libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004371A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437470 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040FE8F Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435172 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436BAF Relevance: 1.5, APIs: 1, Instructions: 16COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004352B2 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E680 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 120clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004182FE Relevance: 7.8, Strings: 6, Instructions: 290COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433462 Relevance: 7.8, Strings: 6, Instructions: 278COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422E10 Relevance: 5.4, Strings: 4, Instructions: 437COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D2D4 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414166 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004390D0 Relevance: 2.6, Strings: 1, Instructions: 1315COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426DC3 Relevance: 1.9, APIs: 1, Instructions: 372COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F836 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041393C Relevance: 1.4, Strings: 1, Instructions: 104COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435540 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004154D3 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413880 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004396B0 Relevance: 1.0, Instructions: 958COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439800 Relevance: .9, Instructions: 900COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004087E0 Relevance: .8, Instructions: 847COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425C76 Relevance: .8, Instructions: 811COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439BB0 Relevance: .6, Instructions: 599COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004274ED Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F9F6 Relevance: .3, Instructions: 324COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427510 Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004039F0 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FF50 Relevance: .1, Instructions: 149COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004159A0 Relevance: .1, Instructions: 146COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004165C4 Relevance: .1, Instructions: 128COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E70 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042118E Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004282C0 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004306E0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004253B0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413FA2 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403BB0 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E4F0 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428A46 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423AAF Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|