Edit tour
Windows
Analysis Report
ufp4rvU3SP.exe
Overview
General Information
| Sample name: | ufp4rvU3SP.exerenamed because original name is a hash value |
| Original sample name: | 56267b2331a42b473283d7f2798cc1f5.exe |
| Analysis ID: | 1540301 |
| MD5: | 56267b2331a42b473283d7f2798cc1f5 |
| SHA1: | 29407f372b0612ca134bdb5bb8d92e969d75318d |
| SHA256: | eb701cd5f43f77e8c9eb399bbb9c0bff5b14004925b92c6210bf2ccf3a1135e7 |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
| Score: | 72 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: New RUN Key Pointing to Suspicious Folder
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
ufp4rvU3SP.exe (PID: 7672 cmdline: "C:\Users\ user\Deskt op\ufp4rvU 3SP.exe" MD5: 56267B2331A42B473283D7F2798CC1F5) 
MSBuild.exe (PID: 7728 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - MSBuild.exe (PID: 7736 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - Honda.exe (PID: 7900 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Honda\ Honda.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) 
conhost.exe (PID: 7908 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WerFault.exe (PID: 7852 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 672 -s 280 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- Honda.exe (PID: 8164 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Honda\ Honda.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - conhost.exe (PID: 8176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- Honda.exe (PID: 3568 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Honda\ Honda.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - conhost.exe (PID: 3352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- Honda.exe (PID: 1872 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Honda\ Honda.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - conhost.exe (PID: 5276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0012D2FE | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | 0_2_00112805 | |
| Source: | Code function: | 0_2_0012F840 | |
| Source: | Code function: | 0_2_001310A3 | |
| Source: | Code function: | 0_2_0011F9EC | |
| Source: | Code function: | 0_2_00112A0F | |
| Source: | Code function: | 0_2_00119B05 | |
| Source: | Code function: | 0_2_00127C32 | |
| Source: | Code function: | 0_2_0012943C | |
| Source: | Code function: | 0_2_0011FD34 | |
| Source: | Code function: | 0_2_00122D90 | |
| Source: | Code function: | 3_2_01283108 | |
| Source: | Code function: | 3_2_01289A30 | |
| Source: | Code function: | 3_2_01280848 | |
| Source: | Code function: | 3_2_01287850 | |
| Source: | Code function: | 3_2_012842E8 | |
| Source: | Code function: | 3_2_012807B0 | |
| Source: | Code function: | 3_2_01289A20 | |
| Source: | Code function: | 3_2_01287A9C | |
| Source: | Code function: | 3_2_012842C8 | |
| Source: | Code function: | 7_2_02EE5A41 | |
| Source: | Code function: | 7_2_02EE2788 | |
| Source: | Code function: | 7_2_02EE1E2F | |
| Source: | Code function: | 10_2_01581CC0 | |
| Source: | Code function: | 10_2_01582788 | |
| Source: | Code function: | 10_2_01585A41 | |
| Source: | Code function: | 13_2_024E5A41 | |
| Source: | Code function: | 13_2_024E2788 | |
| Source: | Code function: | 13_2_024E1CC0 | |
| Source: | Code function: | 15_2_00BF2CC8 | |
| Source: | Code function: | 15_2_00BF5AA8 | |
| Source: | Code function: | 15_2_00BF1E2F | |
| Source: | Code function: | 15_2_00BF2CC1 | |
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | Window detected: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0011993F | |
| Source: | Code function: | 0_2_00112F76 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-19984 | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_0012D2FE | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00112F17 | |
| Source: | Code function: | 0_2_0011A085 | |
| Source: | Code function: | 0_2_00112F7C | |
| Source: | Code function: | 0_2_00123BBE | |
| Source: | Code function: | 0_2_0012CC6F | |
| Source: | Code function: | 0_2_0012E177 | |
| Source: | Code function: | 0_2_0011A085 | |
| Source: | Code function: | 0_2_0011A212 | |
| Source: | Code function: | 0_2_00120B69 | |
| Source: | Code function: | 0_2_00119E74 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00130031 | |
| Source: | Code function: | 0_2_00127026 | |
| Source: | Code function: | 0_2_0013007C | |
| Source: | Code function: | 0_2_00130117 | |
| Source: | Code function: | 0_2_001301A2 | |
| Source: | Code function: | 0_2_001303F5 | |
| Source: | Code function: | 0_2_001274EF | |
| Source: | Code function: | 0_2_0013051E | |
| Source: | Code function: | 0_2_0012FD8F | |
| Source: | Code function: | 0_2_00130624 | |
| Source: | Code function: | 0_2_001306F3 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0011A2C5 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 311 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | 21 Registry Run Keys / Startup Folder | 1 Scheduled Task/Job | 1 Disable or Modify Tools | LSASS Memory | 41 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 21 Registry Run Keys / Startup Folder | 41 Virtualization/Sandbox Evasion | Security Account Manager | 41 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 311 Process Injection | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Trojan.LummaC | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1540301 |
| Start date and time: | 2024-10-23 17:03:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | ufp4rvU3SP.exerenamed because original name is a hash value |
| Original Sample Name: | 56267b2331a42b473283d7f2798cc1f5.exe |
| Detection: | MAL |
| Classification: | mal72.evad.winEXE@15/13@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 40.126.32.74, 40.126.32.72, 40.126.32.68, 40.126.32.138, 20.190.160.20, 40.126.32.133, 40.126.32.136, 20.190.160.17, 93.184.221.240, 20.42.65.92, 20.12.23.50, 192.229.221.95, 13.85.23.206, 20.3.187.198
- Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wu.azureedge.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, blobcollector.events.data.trafficmanager.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
- Execution Graph export aborted for target Honda.exe, PID 1872 because it is empty
- Execution Graph export aborted for target Honda.exe, PID 3568 because it is empty
- Execution Graph export aborted for target Honda.exe, PID 7900 because it is empty
- Execution Graph export aborted for target Honda.exe, PID 8164 because it is empty
- Execution Graph export aborted for target MSBuild.exe, PID 7736 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: ufp4rvU3SP.exe
| Time | Type | Description |
|---|---|---|
| 17:04:09 | Autostart | |
| 17:04:17 | Autostart | |
| 17:04:25 | Autostart |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fp2e7a.wpc.phicdn.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\Honda\Honda.exe | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ufp4rvU3SP.exe_f473e7d92347dce301baac3bbe865c96d17095_54d7168b_e9a717ee-61ef-48e7-8587-1f2c24c7fb8e\Report.wer 
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.6551038540789501 |
| Encrypted: | false |
| SSDEEP: | 96:lcFFoWAs7hgzxTMjh6tQXIDcQvc6QcEVcw3cE/n+HbHg/5hZAX/d5FMT2SlPkpX2:ipAd80BU/gjhzuiFKZ24IO8LBq |
| MD5: | D72FA1C6BBF2489788655B7BE442B914 |
| SHA1: | E52408708D2BCD5BC86DEA12FAE5C4823E49C945 |
| SHA-256: | DA39777D66138E53B8B8A3635A426AFE9410017CE4E32A58EA322450C705BF2D |
| SHA-512: | 46B79568C08F8D7B712BAC8F65A849931DDF2D46012051031004CE70E88FE02684921DA9EF64245765273829AF91CDFDF17A9A9E50395F03F8EAB5A218F7705E |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 41386 |
| Entropy (8bit): | 1.6708722927420803 |
| Encrypted: | false |
| SSDEEP: | 192:Z1RirJqrOAPlWc7hgH2OOAE/vm7dRqIQ+KDk:iJ9APlWc7AZ7dRqbQ |
| MD5: | 9424A96BE11B4515F78D1F592E024FE6 |
| SHA1: | 4FCEF27C7165C7EE535AAD000F008A097B048C62 |
| SHA-256: | E155C6AC5848717E6E40613231C3720F6C0061F0172868BAD0A4768F27036CD4 |
| SHA-512: | BCCBFC1CB0D5B89023AEE08A9C862B0E4479B639E9E2B86854CD32EBC4AF5B81656572BF0268F742830D54F84FF96C38A818798645DB4681ACFBB8683AF9C176 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8374 |
| Entropy (8bit): | 3.6904986415410006 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJTa6zb5zbe6YSFSU9tyDyGgmfA4QPpr789blbGsfgfjm:R6lXJO6zdzi6YASU9t2TgmfA4Q+lblfx |
| MD5: | E842D7CCEFAFAAF2BDB9E96583D7514C |
| SHA1: | 52876465285C566A2F23DE43A43A212E2B4B890F |
| SHA-256: | 3FE158AA36B74AC4B665FF82D4EC760AD982C29BE4ACB3457EE7FDFB663B78C9 |
| SHA-512: | 668B65139119C1F2EE3FB7CACA3D714766C4288FCC188FE3F8013823A5919C572BACDAAC49A7087950D54436C85211A6BC78FBB6B8CE9C7CCAD05DEC982B4C84 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4696 |
| Entropy (8bit): | 4.465101796608262 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsSJg77aI9A/hWpW8VYRYm8M4JnUFq+q8vm1xDSprPaad:uIjfgI7Iw7VdJzKqpkbaad |
| MD5: | D6795F0E7F58F7FC0CAEC670A5BBD030 |
| SHA1: | A6691937A45632AB2D3609F54F1FC1752FB0D872 |
| SHA-256: | B771E97519924FB4A22E73FBC1B5D7B9725C91D09869016EBDAAB52E8090CDE3 |
| SHA-512: | 4E6980761B39E1A8DB402005DF9F22DC44B588DCC890C3ED53682F90BD634C4021FD1B4349D890805C452403604C78172BFD7138EDDE5A3B80D05B98C375295E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\Honda\Honda.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 841 |
| Entropy (8bit): | 5.351831766340675 |
| Encrypted: | false |
| SSDEEP: | 24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoIvEE4xDqE4j:MxHKlYHKh3oPtHo6wvEHxDqHj |
| MD5: | 98DCC730A3C77DCDCA7CD8717EB5D42A |
| SHA1: | 639509210C17EB73F5DB581FA8CA46B1157D8806 |
| SHA-256: | E3C80885BCC7FE4F349EFB0470D261E0DE273EE26D47AF09C79F1B4B2F891E49 |
| SHA-512: | 7D11C53167839D428DAE35BF759C73FC0C7C49F2DE35CC99E4F8B69CDD40DFBEEF6D355F15FAB1EED62A64AF94E7BA311C0F8E07C3DA6F3A63410CC3E9882B78 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 636 |
| Entropy (8bit): | 5.363873409814957 |
| Encrypted: | false |
| SSDEEP: | 12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhadDLI4MNsf6cv:ML9E4KlKDE4KhKiKhwE4Tye |
| MD5: | 43484EA7D5BD7DE47119BC063D65D7AF |
| SHA1: | FCE0A3922FB3E421F8EF74E9A94E60F8DE7F97F5 |
| SHA-256: | C00C48279B0CCFF866BB59D1DD5B77C65594B86BD4D16DE0F2EFAD2778F57A23 |
| SHA-512: | A56C0609179C003044AFEC26019EAEC0ECC772108327EB01F817B88780981289A61E795F6E8745FDEAE99D8543B57344F80A9542BDA2933787C5C8331C869820 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 262432 |
| Entropy (8bit): | 6.179415524830389 |
| Encrypted: | false |
| SSDEEP: | 3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/ |
| MD5: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| SHA1: | E6256A0159688F0560B015DA4D967F41CBF8C9BD |
| SHA-256: | ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82 |
| SHA-512: | BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleApp_6d4e6e429fc6404698bba07c4b921c78.lnk
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1123 |
| Entropy (8bit): | 4.961321765393267 |
| Encrypted: | false |
| SSDEEP: | 24:8Rc9FJR6gKx8YQE5ryhREsQAkMIK+E6E6ptz1Zqygm:8Rc7JRINQw+hRVkMIK+/ZtZwyg |
| MD5: | 1075EC8836DC6E584656935B37C2A966 |
| SHA1: | 02D6331903C80CBECDFB9F45AFCC79A84C0965A1 |
| SHA-256: | 9E6E97F9A7395E741C7AB52DAA50B57808C53CE4D255BB343281553851DDBF20 |
| SHA-512: | 836792F4B86EFFDC1BF8A7AB541618CD16657475B41CB660F688F3E8EBC048B6FDBC9411A4FF8B64200DE9D4F998626C63E5B2357F4531ED7B164A31BFBC310E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.372063883413596 |
| Encrypted: | false |
| SSDEEP: | 6144:ZFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNBiL:PV1QyWWI/glMM6kF7Dq |
| MD5: | DBDA216667D4EDDC28F8A6759B27FE1D |
| SHA1: | 73B90DBD49D81DC6891F3B269EBEF79A8B01529F |
| SHA-256: | 58353F960C625BCB7DCBD95FB773155B10202FB2E043159691B7019A5B3C6C29 |
| SHA-512: | 02DCED2B47B934D50A697ADA327C9AC12AE31E5643DD452A3A92AECDDBA63AA645389E05CE0CD6774DE131F9093C75D2C6CAAE072FDAEA89AF4BDE23A9B55415 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\Honda\Honda.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 298 |
| Entropy (8bit): | 4.924206445966445 |
| Encrypted: | false |
| SSDEEP: | 6:zx3M1tFAbQtASR30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13P30ZMt9BFN+QdCT2UftCM+ |
| MD5: | 932782CF70ED00D22C0B08B5027B4E31 |
| SHA1: | 78F460A2155D9E819B8452C281285D7E0A7AC14F |
| SHA-256: | F2C2477FB3FD0A30F3D3D8637EF9C774B43E940043635DF90CDD804799A2ECE7 |
| SHA-512: | C83E72797C03CABCAB066B95BAEEBB13944143846794061CF9482EA3B283979E470930047FDAE72A6F06F51F3127FF39DAAEFAAD7557E3AD49F590B9E7B78D24 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.858231551366821 |
| TrID: |
|
| File name: | ufp4rvU3SP.exe |
| File size: | 294'016 bytes |
| MD5: | 56267b2331a42b473283d7f2798cc1f5 |
| SHA1: | 29407f372b0612ca134bdb5bb8d92e969d75318d |
| SHA256: | eb701cd5f43f77e8c9eb399bbb9c0bff5b14004925b92c6210bf2ccf3a1135e7 |
| SHA512: | 2f9c0b086e8fa4123db6b640ee27abfc2f5f05743d4750002f4de0c6b0b5c7861f2329573fddf92cc608ec50c25b1f0b61d177f448b1d663f885c341a53fb634 |
| SSDEEP: | 6144:QuEDjIKQebn/EWGIezYFuJ1RAldW7FMWuAJc5alr7v:NWIKQeb/E3JUlABNJcAlr7v |
| TLSH: | 3354AE2279C0C472D66325310AF4DBB56B7DF9700F655A8F67A80B7E0F702819B31A6B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........L..v...v...v...u...v...s.a.v...r...v...w...v...w.M.v...r...v...u...v...s...v.......v.......v...t...v.Rich..v................ |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x409922 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6716513E [Mon Oct 21 13:03:58 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 31770ac6e89309fe8c99522fb04f055c |
| Signature Valid: | false |
| Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | AD1BCBF19AE2F91BB114D33B85359E56 |
| Thumbprint SHA-1: | 141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128 |
| Thumbprint SHA-256: | A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48 |
| Serial: | 00D0461B529F67189D43744E9CEFE172AE |
| Instruction |
|---|
| call 00007F3EBCD74ED0h |
| jmp 00007F3EBCD7435Fh |
| mov ecx, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| mov ecx, dword ptr [ebp-10h] |
| xor ecx, ebp |
| call 00007F3EBCD73F02h |
| jmp 00007F3EBCD744C2h |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [00432180h] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [00432180h] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [00432180h] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], esp |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x30bc0 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x43000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x44e00 | 0x2e80 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x44000 | 0x2104 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2e088 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x2e0c0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2dfc8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x26000 | 0x158 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x247c5 | 0x24800 | 6dae0d479bc611c4ee23089dfeba7452 | False | 0.583623180650685 | data | 6.665208556636056 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x26000 | 0xb3c6 | 0xb400 | a83439cce44dd8cdadafac7224d8129d | False | 0.4263237847222222 | data | 4.900884880517839 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x32000 | 0x106cc | 0xf800 | 165c81362e9bab5d52efe1dce4311a7c | False | 0.915495841733871 | data | 7.834803492227552 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x43000 | 0x1e0 | 0x200 | 9866eeb93e80b773405f3d7936b83641 | False | 0.52734375 | data | 4.7074344725994175 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x44000 | 0x2104 | 0x2200 | 1f7fd92f797137669f7137f1f00d6e76 | False | 0.7344898897058824 | data | 6.455013830478276 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .bsp | 0x47000 | 0x3000 | 0x3000 | cb48a2ce30fdb738d07aa9b335b543e2 | False | 0.033772786458333336 | data | 0.3557900760954866 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x43060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GlobalFindAtomA, RaiseException, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceComplete, InitOnceBeginInitialize, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WideCharToMultiByte, CloseHandle, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, CreateFileW, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 23, 2024 17:04:00.908982992 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:00.909085989 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:00.909933090 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:00.909992933 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:00.910196066 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:00.910245895 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:00.911932945 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:00.911973000 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:00.912997961 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:00.913111925 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:00.918432951 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:00.918545961 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.039443016 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.039747000 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.039834976 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.039879084 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.039940119 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.040066004 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.043693066 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.044418097 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.045115948 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.048907995 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.049026966 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.049452066 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.049514055 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.049583912 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.049884081 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.050491095 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.050921917 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.052495956 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.056277990 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.058089972 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.176580906 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.179263115 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.179419041 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.179446936 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.179485083 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.181435108 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.181459904 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.183811903 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.183886051 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.184751034 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.185379982 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.185446978 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.185869932 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.186774969 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.187252045 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.193810940 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.313960075 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.315531969 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.315567970 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.315593004 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.317812920 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.317876101 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.318569899 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.319792986 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.319868088 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.320417881 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.320485115 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.321794033 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.322144985 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.323748112 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.327270985 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.371566057 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.439589024 CEST | 49671 | 443 | 192.168.2.8 | 204.79.197.203 |
| Oct 23, 2024 17:04:01.451003075 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.451025009 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.451093912 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.451385975 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.451886892 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.451931953 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.454668999 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.454710007 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.454757929 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.454972029 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.455013990 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.455722094 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.458484888 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.459005117 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.459748030 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.460841894 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.461352110 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.464066029 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.464602947 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.465365887 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.588502884 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.589215994 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.589294910 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.590858936 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.591279984 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.591345072 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.591387987 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.591516972 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.592350006 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.593561888 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.594038963 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.594611883 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.596762896 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.596837044 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.599097967 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.599450111 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.600963116 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.724127054 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.724306107 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.724318027 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.724481106 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.726039886 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.726106882 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.726231098 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.726882935 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.726938009 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.727788925 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:01.783301115 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:01.783328056 CEST | 49673 | 443 | 192.168.2.8 | 23.206.229.226 |
| Oct 23, 2024 17:04:01.783337116 CEST | 49677 | 80 | 192.168.2.8 | 192.229.211.108 |
| Oct 23, 2024 17:04:02.095967054 CEST | 49672 | 443 | 192.168.2.8 | 23.206.229.226 |
| Oct 23, 2024 17:04:02.156157970 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.161515951 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.172593117 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.177894115 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.186012030 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.186444044 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.191390991 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.191965103 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.201853037 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.207207918 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.293796062 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.306004047 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.306240082 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.318793058 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.319133997 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.319670916 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.319749117 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.324587107 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.328402042 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.333944082 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.334112883 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.339591980 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.347995996 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.350219965 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.355798960 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.451576948 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.461877108 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.461951971 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.467005968 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.480356932 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.480428934 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.482655048 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.491449118 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.492350101 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.497844934 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.531347990 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.539953947 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.540736914 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.546092033 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.591579914 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.624825954 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.625118017 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.625130892 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.625214100 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.649868011 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.655304909 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.664100885 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.672521114 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.672646999 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.673041105 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.673055887 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.673109055 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.687724113 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.694236994 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.702862978 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.703737020 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.934382915 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.934525967 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.935218096 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.935295105 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.935622931 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.935674906 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.936722040 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:02.967411041 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:02.972918034 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.063297987 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.063360929 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.063452959 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.063786030 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.064526081 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.064585924 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.064619064 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.094619036 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.099559069 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.099654913 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.110481024 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.111730099 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.117224932 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.120702028 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.125212908 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.126380920 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.175604105 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.230113983 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.233133078 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.239487886 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.244854927 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.245013952 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.245079994 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.247730017 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.270905972 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.270972967 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.270984888 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.271054983 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.271347046 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.271409035 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.271460056 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.274868965 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.274955988 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.275166988 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.280297995 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.327591896 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.366763115 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.366777897 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.366887093 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.369385958 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.375668049 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.398643970 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.401001930 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.407357931 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.407382965 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.407449007 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.408483982 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.410720110 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.410895109 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.411147118 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.416405916 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.464515924 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.502409935 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.504668951 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.510200977 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.533782959 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.544383049 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.544459105 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.544460058 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.545275927 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.545345068 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:03.637389898 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:04:03.689656019 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:04:09.783294916 CEST | 49676 | 443 | 192.168.2.8 | 52.182.143.211 |
| Oct 23, 2024 17:04:11.392673969 CEST | 49673 | 443 | 192.168.2.8 | 23.206.229.226 |
| Oct 23, 2024 17:04:11.705159903 CEST | 49672 | 443 | 192.168.2.8 | 23.206.229.226 |
| Oct 23, 2024 17:04:12.408293009 CEST | 49677 | 80 | 192.168.2.8 | 192.229.211.108 |
| Oct 23, 2024 17:04:13.494051933 CEST | 443 | 49706 | 23.206.229.226 | 192.168.2.8 |
| Oct 23, 2024 17:04:13.495275974 CEST | 49706 | 443 | 192.168.2.8 | 23.206.229.226 |
| Oct 23, 2024 17:04:50.252392054 CEST | 49704 | 80 | 192.168.2.8 | 104.18.38.233 |
| Oct 23, 2024 17:04:50.252490997 CEST | 49705 | 80 | 192.168.2.8 | 172.64.149.23 |
| Oct 23, 2024 17:04:50.252537012 CEST | 49703 | 80 | 192.168.2.8 | 104.18.38.233 |
| Oct 23, 2024 17:04:50.276179075 CEST | 80 | 49704 | 104.18.38.233 | 192.168.2.8 |
| Oct 23, 2024 17:04:50.276194096 CEST | 80 | 49705 | 172.64.149.23 | 192.168.2.8 |
| Oct 23, 2024 17:04:50.276204109 CEST | 80 | 49703 | 104.18.38.233 | 192.168.2.8 |
| Oct 23, 2024 17:04:50.276305914 CEST | 49704 | 80 | 192.168.2.8 | 104.18.38.233 |
| Oct 23, 2024 17:04:50.276308060 CEST | 49705 | 80 | 192.168.2.8 | 172.64.149.23 |
| Oct 23, 2024 17:04:50.276344061 CEST | 49703 | 80 | 192.168.2.8 | 104.18.38.233 |
| Oct 23, 2024 17:05:33.634818077 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:05:33.635942936 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Oct 23, 2024 17:05:33.642438889 CEST | 443 | 49707 | 13.107.253.45 | 192.168.2.8 |
| Oct 23, 2024 17:05:33.642518997 CEST | 49707 | 443 | 192.168.2.8 | 13.107.253.45 |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 23, 2024 17:04:22.433922052 CEST | 1.1.1.1 | 192.168.2.8 | 0x7087 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 23, 2024 17:04:22.433922052 CEST | 1.1.1.1 | 192.168.2.8 | 0x7087 | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false | ||
| Oct 23, 2024 17:04:35.761883974 CEST | 1.1.1.1 | 192.168.2.8 | 0x1fd6 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 23, 2024 17:04:35.761883974 CEST | 1.1.1.1 | 192.168.2.8 | 0x1fd6 | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:04:06 |
| Start date: | 23/10/2024 |
| Path: | C:\Users\user\Desktop\ufp4rvU3SP.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x110000 |
| File size: | 294'016 bytes |
| MD5 hash: | 56267B2331A42B473283D7F2798CC1F5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 11:04:06 |
| Start date: | 23/10/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 11:04:06 |
| Start date: | 23/10/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa10000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 11:04:06 |
| Start date: | 23/10/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xac0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 11:04:07 |
| Start date: | 23/10/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\Honda\Honda.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd90000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 11:04:07 |
| Start date: | 23/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 11:04:17 |
| Start date: | 23/10/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\Honda\Honda.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc20000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 11:04:17 |
| Start date: | 23/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 11:04:25 |
| Start date: | 23/10/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\Honda\Honda.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x290000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 11:04:25 |
| Start date: | 23/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 11:04:34 |
| Start date: | 23/10/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\Honda\Honda.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x300000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 11:04:34 |
| Start date: | 23/10/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6ee680000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 2.9% |
| Total number of Nodes: | 1392 |
| Total number of Limit Nodes: | 7 |
Graph
Function 00112F7C Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012C9D4 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012DDAA Relevance: 3.2, APIs: 2, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012D9AE Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001157E2 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001310A3 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0013051E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012FD8F Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011A085 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001301A2 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00112A0F Relevance: 1.9, APIs: 1, Instructions: 384COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00119B05 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012D2FE Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001303F5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00130624 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011A212 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012E177 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012F840 Relevance: .3, Instructions: 327COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011F9EC Relevance: .3, Instructions: 314COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00112F17 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012CC6F Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00123BBE Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001192CD Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012B85E Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001190E3 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011CE02 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001271EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001173C5 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00123BE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118BAA Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001148F7 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114A2F Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114F6E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011DB97 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012D0BB Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001232F6 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012E06A Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011D1A7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011175B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01280848 Relevance: 10.0, Strings: 6, Instructions: 2508COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012842E8 Relevance: 9.4, Strings: 5, Instructions: 3155COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012842C8 Relevance: 5.7, Strings: 3, Instructions: 1918COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012807B0 Relevance: 5.4, Strings: 4, Instructions: 400COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01289A30 Relevance: 4.6, Strings: 3, Instructions: 868COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01287850 Relevance: 2.2, Strings: 1, Instructions: 948COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01283108 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01283A49 Relevance: .6, Instructions: 568COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01288488 Relevance: .5, Instructions: 458COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01288A35 Relevance: .4, Instructions: 447COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01288F60 Relevance: .4, Instructions: 352COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012895B9 Relevance: .2, Instructions: 250COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01283680 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01288348 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0128A770 Relevance: .1, Instructions: 128COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0128A764 Relevance: .1, Instructions: 113COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01289478 Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0128A424 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 012830F8 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01283938 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0128A920 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0128A915 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01282FD3 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01288D38 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0128392A Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0122D035 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0122D034 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01289350 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE2788 Relevance: 2.0, Instructions: 2015COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE5A41 Relevance: .4, Instructions: 437COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE4C69 Relevance: .4, Instructions: 420COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE4868 Relevance: .2, Instructions: 226COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE1063 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE5E28 Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE17C8 Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE1CC0 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE0848 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE1CB0 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE2777 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE0838 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE1B68 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE1B78 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE4F48 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE6060 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE5218 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE5228 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE0A98 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE0AA8 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE4B34 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE0ED7 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE13B0 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE5148 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE0F28 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE0F70 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02EE0F38 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01582788 Relevance: 2.0, Instructions: 2005COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01581CC0 Relevance: 1.6, Strings: 1, Instructions: 373COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01585A41 Relevance: .4, Instructions: 435COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 015817C8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01584C68 Relevance: .4, Instructions: 419COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01584868 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01581062 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01585E28 Relevance: .2, Instructions: 181COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01580848 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01581CB0 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01582777 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01580838 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01581B68 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01581B78 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01584F48 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01586060 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01585218 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01585228 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01580A98 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01580AA8 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01584B34 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01585148 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 015813B0 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01580F28 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01580F70 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01580F38 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E2788 Relevance: 2.0, Instructions: 2018COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E1CC0 Relevance: 1.7, Strings: 1, Instructions: 478COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E5A41 Relevance: .4, Instructions: 437COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E4C69 Relevance: .4, Instructions: 420COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E4868 Relevance: .2, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E1063 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E5E28 Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E0848 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E1CB0 Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E1C73 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E1B68 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E2777 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E0838 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E1B78 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E4F48 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E6060 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E5218 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E18F8 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E5228 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E0A98 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E0AA8 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E4B34 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E13B0 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E5148 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E0F28 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E0F70 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 024E0F38 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF2CC8 Relevance: 1.6, Instructions: 1603COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF2CC1 Relevance: 1.6, Instructions: 1593COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF5AA8 Relevance: .3, Instructions: 277COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF2788 Relevance: .4, Instructions: 390COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF106D Relevance: .2, Instructions: 216COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF1CC0 Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF1CB0 Relevance: .1, Instructions: 122COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF0848 Relevance: .1, Instructions: 115COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF2777 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF6070 Relevance: .1, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF0838 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF1B73 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF1B78 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF5FB8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF4F3F Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF4F48 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF606D Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF18F8 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF4AB4 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF5224 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF5228 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF0A98 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF0AA8 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF4B34 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF5146 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF5148 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF13B0 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF0F38 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BF0F34 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|