Edit tour
Windows
Analysis Report
tyhkamwdmrg.exe
Overview
General Information
| Sample name: | tyhkamwdmrg.exe |
| Analysis ID: | 1566334 |
| MD5: | 949249a7efcd8c6fd21bc9ffe9ecfdbb |
| SHA1: | e335b63c7accfd306efb2cd83d3d669b915f6f15 |
| SHA256: | bfffe1926c7463a2f8dca190e700a5ff390cb028edfe1bb80491aaf706520123 |
| Tags: | exeuser-aachum |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
tyhkamwdmrg.exe (PID: 6516 cmdline: "C:\Users\ user\Deskt op\tyhkamw dmrg.exe" MD5: 949249A7EFCD8C6FD21BC9FFE9ECFDBB)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-02T01:38:28.956741+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:32.429648+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:34.885668+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:37.708236+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:40.178096+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:43.327013+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:46.485518+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:51.123338+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49741 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-02T01:38:31.172104+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:33.326916+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:53.045615+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49741 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-02T01:38:31.172104+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-02T01:38:33.326916+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-02T01:38:44.522406+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49735 | 172.67.165.166 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-02T01:38:46.507999+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 172.67.165.166 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_00305CD6 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00374490 | |
| Source: | Code function: | 0_2_0031C375 | |
| Source: | Code function: | 0_2_0031D36D | |
| Source: | Code function: | 0_2_00329850 | |
| Source: | Code function: | 0_2_00305CD6 | |
| Source: | Code function: | 0_2_00305CD6 | |
| Source: | Code function: | 0_2_00313027 | |
| Source: | Code function: | 0_2_00327010 | |
| Source: | Code function: | 0_2_002FB9F0 | |
| Source: | Code function: | 0_2_00324050 | |
| Source: | Code function: | 0_2_0030C0FE | |
| Source: | Code function: | 0_2_0030C8A0 | |
| Source: | Code function: | 0_2_00318B2F | |
| Source: | Code function: | 0_2_00318B2F | |
| Source: | Code function: | 0_2_00318B2F | |
| Source: | Code function: | 0_2_00318B2F | |
| Source: | Code function: | 0_2_00318B2F | |
| Source: | Code function: | 0_2_00318FDD | |
| Source: | Code function: | 0_2_00318FDD | |
| Source: | Code function: | 0_2_00318FDD | |
| Source: | Code function: | 0_2_00319079 | |
| Source: | Code function: | 0_2_00319136 | |
| Source: | Code function: | 0_2_00319136 | |
| Source: | Code function: | 0_2_00319136 | |
| Source: | Code function: | 0_2_00305220 | |
| Source: | Code function: | 0_2_00305220 | |
| Source: | Code function: | 0_2_0030D38F | |
| Source: | Code function: | 0_2_0031D6F4 | |
| Source: | Code function: | 0_2_00329A80 | |
| Source: | Code function: | 0_2_00329BA0 | |
| Source: | Code function: | 0_2_002F9B90 | |
| Source: | Code function: | 0_2_00311C00 | |
| Source: | Code function: | 0_2_00315C50 | |
| Source: | Code function: | 0_2_00309DE0 | |
| Source: | Code function: | 0_2_00309DE0 | |
| Source: | Code function: | 0_2_00309DE0 | |
| Source: | Code function: | 0_2_00311E70 | |
| Source: | Code function: | 0_2_00329E70 | |
| Source: | Code function: | 0_2_002F1F20 | |
| Source: | Code function: | 0_2_00329F20 | |
| Source: | Code function: | 0_2_00329F20 | |
| Source: | Code function: | 0_2_002F9FB0 | |
| Source: | Code function: | 0_2_0032DF80 | |
| Source: | Code function: | 0_2_00316220 | |
| Source: | Code function: | 0_2_0031A3D0 | |
| Source: | Code function: | 0_2_002F23C0 | |
| Source: | Code function: | 0_2_0031A580 | |
| Source: | Code function: | 0_2_00326800 | |
| Source: | Code function: | 0_2_002FA85B | |
| Source: | Code function: | 0_2_0031AB40 | |
| Source: | Code function: | 0_2_00306BF5 | |
| Source: | Code function: | 0_2_0030EBD0 | |
| Source: | Code function: | 0_2_002F2C70 | |
| Source: | Code function: | 0_2_002F6DB0 | |
| Source: | Code function: | 0_2_00306BF5 | |
| Source: | Code function: | 0_2_00307229 | |
| Source: | Code function: | 0_2_00307229 | |
| Source: | Code function: | 0_2_0032B200 | |
| Source: | Code function: | 0_2_003076F4 | |
| Source: | Code function: | 0_2_0030B72D | |
| Source: | Code function: | 0_2_002FF754 | |
| Source: | Code function: | 0_2_003138D0 | |
| Source: | Code function: | 0_2_00327940 | |
| Source: | Code function: | 0_2_0031BA45 | |
| Source: | Code function: | 0_2_0031BA8B | |
| Source: | Code function: | 0_2_00313BA0 | |
| Source: | Code function: | 0_2_00327C00 | |
| Source: | Code function: | 0_2_002F7D70 | |
| Source: | Code function: | 0_2_002F7D70 | |
| Source: | Code function: | 0_2_00327E70 | |
| Source: | Code function: | 0_2_0030BF13 | |
| Source: | Code function: | 0_2_00307FD3 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0039C634 | |
| Source: | Code function: | 0_2_0039C650 | |
| Source: | Code function: | 0_2_0039C6B8 | |
| Source: | Code function: | 0_2_0039C710 | |
| Source: | Code function: | 0_2_0039C7F0 | |
| Source: | Code function: | 0_2_0039CBD0 | |
| Source: | Code function: | 0_2_0039C028 | |
| Source: | Code function: | 0_2_0039C070 | |
| Source: | Code function: | 0_2_0039C0B0 | |
| Source: | Code function: | 0_2_0039C180 | |
| Source: | Code function: | 0_2_0039C1E0 | |
| Source: | Code function: | 0_2_0039C27C | |
| Source: | Code function: | 0_2_0039C2E0 | |
| Source: | Code function: | 0_2_0039C2C4 | |
| Source: | Code function: | 0_2_0039C338 | |
| Source: | Code function: | 0_2_0039C36C | |
| Source: | Code function: | 0_2_0039C3F4 | |
| Source: | Code function: | 0_2_0039C43C | |
| Source: | Code function: | 0_2_0039C48C | |
| Source: | Code function: | 0_2_0039C4EC | |
| Source: | Code function: | 0_2_0039C53C | |
| Source: | Code function: | 0_2_0039C558 | |
| Source: | Code function: | 0_2_0039C58C | |
| Source: | Code function: | 0_2_0039C5EC | |
| Source: | Code function: | 0_2_0039C684 | |
| Source: | Code function: | 0_2_0039C778 | |
| Source: | Code function: | 0_2_0039BB50 | |
| Source: | Code function: | 0_2_0039BBB0 | |
| Source: | Code function: | 0_2_0039BBE4 | |
| Source: | Code function: | 0_2_0039BC50 | |
| Source: | Code function: | 0_2_0039BCA0 | |
| Source: | Code function: | 0_2_0039BCF8 | |
| Source: | Code function: | 0_2_0039BD60 | |
| Source: | Code function: | 0_2_0039BD8C | |
| Source: | Code function: | 0_2_0039BDE0 | |
| Source: | Code function: | 0_2_0039BE14 | |
| Source: | Code function: | 0_2_0039BE6C | |
| Source: | Code function: | 0_2_0039BF04 | |
| Source: | Code function: | 0_2_0039BF74 | |
| Source: | Code function: | 0_2_0039BF54 | |
| Source: | Code function: | 0_2_0039BFB4 | |
| Source: | Code function: | 0_2_0039BFE8 | |
| Source: | Code function: | 0_2_003FACA4 | |
| Source: | Code function: | 0_2_0031C375 | |
| Source: | Code function: | 0_2_002F9200 | |
| Source: | Code function: | 0_2_00311320 | |
| Source: | Code function: | 0_2_0031D36D | |
| Source: | Code function: | 0_2_0032D8F0 | |
| Source: | Code function: | 0_2_0032DCA0 | |
| Source: | Code function: | 0_2_00305CD6 | |
| Source: | Code function: | 0_2_0032E550 | |
| Source: | Code function: | 0_2_00316AA0 | |
| Source: | Code function: | 0_2_00302B10 | |
| Source: | Code function: | 0_2_00326CD0 | |
| Source: | Code function: | 0_2_002FEE72 | |
| Source: | Code function: | 0_2_00327010 | |
| Source: | Code function: | 0_2_002FB9F0 | |
| Source: | Code function: | 0_2_003C882C | |
| Source: | Code function: | 0_2_0044880C | |
| Source: | Code function: | 0_2_0044C8C4 | |
| Source: | Code function: | 0_2_0030C8A0 | |
| Source: | Code function: | 0_2_0032C890 | |
| Source: | Code function: | 0_2_0032494B | |
| Source: | Code function: | 0_2_0032C980 | |
| Source: | Code function: | 0_2_0031CA25 | |
| Source: | Code function: | 0_2_00318A40 | |
| Source: | Code function: | 0_2_00318B2F | |
| Source: | Code function: | 0_2_00308B09 | |
| Source: | Code function: | 0_2_003ACBB0 | |
| Source: | Code function: | 0_2_0032CBC0 | |
| Source: | Code function: | 0_2_00454C38 | |
| Source: | Code function: | 0_2_002F4DB0 | |
| Source: | Code function: | 0_2_00440E4C | |
| Source: | Code function: | 0_2_00384FF0 | |
| Source: | Code function: | 0_2_00318FDD | |
| Source: | Code function: | 0_2_00319136 | |
| Source: | Code function: | 0_2_0044913C | |
| Source: | Code function: | 0_2_00305220 | |
| Source: | Code function: | 0_2_0030D38F | |
| Source: | Code function: | 0_2_002F93F0 | |
| Source: | Code function: | 0_2_002F548B | |
| Source: | Code function: | 0_2_00415498 | |
| Source: | Code function: | 0_2_0031D6F4 | |
| Source: | Code function: | 0_2_00321700 | |
| Source: | Code function: | 0_2_002F5790 | |
| Source: | Code function: | 0_2_003157D9 | |
| Source: | Code function: | 0_2_00319830 | |
| Source: | Code function: | 0_2_003058B0 | |
| Source: | Code function: | 0_2_00435958 | |
| Source: | Code function: | 0_2_0041DA18 | |
| Source: | Code function: | 0_2_00419AC8 | |
| Source: | Code function: | 0_2_00319B75 | |
| Source: | Code function: | 0_2_002F9B90 | |
| Source: | Code function: | 0_2_00309DE0 | |
| Source: | Code function: | 0_2_00325E0A | |
| Source: | Code function: | 0_2_00311E70 | |
| Source: | Code function: | 0_2_00435E80 | |
| Source: | Code function: | 0_2_0030DEE0 | |
| Source: | Code function: | 0_2_00421EB0 | |
| Source: | Code function: | 0_2_00315F30 | |
| Source: | Code function: | 0_2_00329F20 | |
| Source: | Code function: | 0_2_002FDF60 | |
| Source: | Code function: | 0_2_002F9FB0 | |
| Source: | Code function: | 0_2_0032DF80 | |
| Source: | Code function: | 0_2_002F60D0 | |
| Source: | Code function: | 0_2_0030E220 | |
| Source: | Code function: | 0_2_00316220 | |
| Source: | Code function: | 0_2_003FA264 | |
| Source: | Code function: | 0_2_0032E250 | |
| Source: | Code function: | 0_2_003022F3 | |
| Source: | Code function: | 0_2_00306324 | |
| Source: | Code function: | 0_2_00442434 | |
| Source: | Code function: | 0_2_0031E4D0 | |
| Source: | Code function: | 0_2_003265A0 | |
| Source: | Code function: | 0_2_0030E630 | |
| Source: | Code function: | 0_2_0031A620 | |
| Source: | Code function: | 0_2_003FA600 | |
| Source: | Code function: | 0_2_0032A660 | |
| Source: | Code function: | 0_2_002F66F0 | |
| Source: | Code function: | 0_2_003326C9 | |
| Source: | Code function: | 0_2_0031E810 | |
| Source: | Code function: | 0_2_00326800 | |
| Source: | Code function: | 0_2_0030E9A0 | |
| Source: | Code function: | 0_2_0041AA04 | |
| Source: | Code function: | 0_2_003FAA40 | |
| Source: | Code function: | 0_2_0030EBD0 | |
| Source: | Code function: | 0_2_003B6C0C | |
| Source: | Code function: | 0_2_0044ED68 | |
| Source: | Code function: | 0_2_002F6DB0 | |
| Source: | Code function: | 0_2_00316E50 | |
| Source: | Code function: | 0_2_0042EFF0 | |
| Source: | Code function: | 0_2_002F2FC0 | |
| Source: | Code function: | 0_2_00453048 | |
| Source: | Code function: | 0_2_0044B05C | |
| Source: | Code function: | 0_2_0044F01C | |
| Source: | Code function: | 0_2_00307229 | |
| Source: | Code function: | 0_2_002F7260 | |
| Source: | Code function: | 0_2_0031F3DB | |
| Source: | Code function: | 0_2_002FB4D0 | |
| Source: | Code function: | 0_2_00313598 | |
| Source: | Code function: | 0_2_0033383F | |
| Source: | Code function: | 0_2_0031786C | |
| Source: | Code function: | 0_2_0033388B | |
| Source: | Code function: | 0_2_003138D0 | |
| Source: | Code function: | 0_2_0038F97C | |
| Source: | Code function: | 0_2_00327940 | |
| Source: | Code function: | 0_2_002F39C0 | |
| Source: | Code function: | 0_2_0031BA8B | |
| Source: | Code function: | 0_2_003F7AC8 | |
| Source: | Code function: | 0_2_00313BA0 | |
| Source: | Code function: | 0_2_00317B83 | |
| Source: | Code function: | 0_2_003D7C28 | |
| Source: | Code function: | 0_2_00313D10 | |
| Source: | Code function: | 0_2_002F7D70 | |
| Source: | Code function: | 0_2_003F7D94 | |
| Source: | Code function: | 0_2_0030FE50 | |
| Source: | Code function: | 0_2_004AFF40 | |
| Source: | Code function: | 0_2_003F7F24 | |
| Source: | Code function: | 0_2_00307F07 | |
| Source: | Code function: | 0_2_0031FF40 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_003E9A49 | |
| Source: | Code function: | 0_2_00358078 | |
| Source: | Code function: | 0_2_0038C0E0 | |
| Source: | Code function: | 0_2_003F412C | |
| Source: | Code function: | 0_2_0038C118 | |
| Source: | Code function: | 0_2_0042C148 | |
| Source: | Code function: | 0_2_003C41B8 | |
| Source: | Code function: | 0_2_003901C4 | |
| Source: | Code function: | 0_2_003B02BB | |
| Source: | Code function: | 0_2_003B0314 | |
| Source: | Code function: | 0_2_003B0380 | |
| Source: | Code function: | 0_2_003603F8 | |
| Source: | Code function: | 0_2_003F83B8 | |
| Source: | Code function: | 0_2_003B03D7 | |
| Source: | Code function: | 0_2_00448452 | |
| Source: | Code function: | 0_2_004B4573 | |
| Source: | Code function: | 0_2_0036059C | |
| Source: | Code function: | 0_2_003D05AE | |
| Source: | Code function: | 0_2_00360667 | |
| Source: | Code function: | 0_2_00360687 | |
| Source: | Code function: | 0_2_003D873F | |
| Source: | Code function: | 0_2_003F8754 | |
| Source: | Code function: | 0_2_0040C7A7 | |
| Source: | Code function: | 0_2_00448734 | |
| Source: | Code function: | 0_2_003F878C | |
| Source: | Code function: | 0_2_00390897 | |
| Source: | Code function: | 0_2_003FC8B4 | |
| Source: | Code function: | 0_2_003608F6 | |
| Source: | Code function: | 0_2_004348BE | |
| Source: | Code function: | 0_2_004B48D2 | |
| Source: | Code function: | 0_2_004089E8 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00374490 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_0032B1C0 | |
| Source: | Code function: | 0_2_003F9268 | |
| Source: | Code function: | 0_2_004AB208 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0039ACC0 | |
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 31 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 4 Obfuscated Files or Information | Security Account Manager | 211 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 12 Software Packing | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 14 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 41 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 53% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 44% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1314134 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 17% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| atten-supporse.biz | 172.67.165.166 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 147.45.47.81 | unknown | Russian Federation | 2895 | FREE-NET-ASFREEnetEU | false | |
| 172.67.165.166 | atten-supporse.biz | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1566334 |
| Start date and time: | 2024-12-02 01:37:35 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 18s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | tyhkamwdmrg.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 147.45.47.81 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RedLine, Xmrig | Browse |
| ||
| 172.67.165.166 | Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| atten-supporse.biz | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| FREE-NET-ASFREEnetEU | Get hash | malicious | DCRat | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Raccoon Stealer v2 | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Vidar | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.990836251406214 |
| TrID: |
|
| File name: | tyhkamwdmrg.exe |
| File size: | 1'272'832 bytes |
| MD5: | 949249a7efcd8c6fd21bc9ffe9ecfdbb |
| SHA1: | e335b63c7accfd306efb2cd83d3d669b915f6f15 |
| SHA256: | bfffe1926c7463a2f8dca190e700a5ff390cb028edfe1bb80491aaf706520123 |
| SHA512: | 309e94d267b55bfb58547a021a53bebfed612da42c5c8dfe55063ed40188c0535095c7a19e5c56adeca53b268ddaa7dbac38857abe1dadca146cc7e7c90cf7b6 |
| SSDEEP: | 24576:JjcQicewyhMtgqWxjY5w0u94YFrHzNgV+RoSrzFVdTEjAi7xyfPw:VZizH+OTx4w0erHzNgV+o4z7GB |
| TLSH: | 024533AA50070B37C8174838CD914E5D6FA1B5AB6B3BB408C3F918D99B4CE534F56F8A |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....WKg..........................................@...........................;...........@................................. P-.... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x41d30f |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x674B57E7 [Sat Nov 30 18:22:31 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 71cc5af9daad65e58c6f29c42cdf9201 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 00401000h |
| call 00007F4B2C4FEED6h |
| call far 5DE5h : 8B10C483h |
| jmp 00007F4B2C89AA12h |
| clc |
| dec esp |
| jc 00007F4B2C4FEEFAh |
| in eax, BEh |
| or eax, D29D5D0Ah |
| dec esp |
| in eax, E2h |
| mov ebx, C1CAB169h |
| inc edx |
| mov byte ptr [ebx-193A1E64h], bh |
| mov ebp, 6DE35F49h |
| xchg eax, ecx |
| jmp 00007F4B57C202A9h |
| jne 00007F4B2C4FEF19h |
| push ecx |
| pop ds |
| mov dword ptr [esi], edi |
| push ecx |
| and eax, ebp |
| and ch, byte ptr [ecx-7Ch] |
| pop ebx |
| mov ch, 29h |
| push edi |
| lds edx, fword ptr [edi+6C5161F7h] |
| xchg eax, ebx |
| out 3Dh, al |
| cmc |
| dec edi |
| out C5h, eax |
| rol dword ptr [F68EFEC8h], 54h |
| cmp ch, byte ptr [ecx+122B8736h] |
| out A7h, eax |
| lahf |
| sbb dword ptr [ecx], ebx |
| test al, E2h |
| rcl dword ptr [ebp+36D1C949h], 42h |
| or bl, byte ptr [1F312F99h] |
| cmp ebx, ebx |
| dec eax |
| pop eax |
| mov al, byte ptr [DC43F4E2h] |
| push ebp |
| iretd |
| rol byte ptr [ecx+ebp*2], cl |
| dec edx |
| mov eax, F5C4C155h |
| inc ecx |
| jnbe 00007F4B2C4FEEBFh |
| inc eax |
| cmpsb |
| sti |
| sbb eax, 615E0196h |
| mov bh, 1Dh |
| adc bl, byte ptr [ecx-3A0105DFh] |
| dec edi |
| mov dword ptr [AAA36D1Bh], ebx |
| adc edi, ebp |
| push eax |
| xchg eax, esi |
| std |
| inc ebp |
| cmpsb |
| mov bh, E6h |
| push es |
| xor al, FCh |
| xchg eax, esp |
| movsb |
| call 00007F4B20A2C1C0h |
| xor byte ptr [ecx-7Bh], cl |
| std |
| sbb ebp, dword ptr [edx] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2d5020 | 0x214 | .data |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2d5000 | 0xc | .data |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| 0x1000 | 0x3e000 | 0x1f800 | e7e6035dc082756a266a868903ba3797 | False | 0.997589595734127 | data | 7.997242368473124 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x3f000 | 0x3000 | 0xe00 | 3125e93200b0d15e28b6ebec1bbbd13c | False | 0.9899553571428571 | data | 7.898656126844285 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x42000 | 0x10000 | 0x3000 | cb578e9b80b464dbb41d50340a172a3d | False | 0.9961751302083334 | data | 7.977603490688354 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x52000 | 0x1000 | 0x200 | 0475e6a0e048e1a634cb08e4126c3fa3 | False | 0.04296875 | data | 0.1833387916558982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x53000 | 0x4000 | 0x2200 | 8d2fd1e35b3df2b717132eeb199990e7 | False | 0.9838005514705882 | data | 7.933538071772522 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x57000 | 0x27e000 | 0x2ba00 | ce86cacf83e75222b999173452f2b112 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| .data | 0x2d5000 | 0xe6000 | 0xe5400 | 03e8f16b31a8ac68b556849b22f74ca0 | False | 0.9972140812431843 | data | 7.985169205338615 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| kernel32.dll | GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA |
| user32.dll | MessageBoxA |
| advapi32.dll | RegCloseKey |
| oleaut32.dll | SysFreeString |
| gdi32.dll | CreateFontA |
| shell32.dll | ShellExecuteA |
| version.dll | GetFileVersionInfoA |
| ole32.dll | CoCreateInstance |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-02T01:38:28.956741+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:31.172104+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:31.172104+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:32.429648+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:33.326916+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:33.326916+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:34.885668+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:37.708236+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:40.178096+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:43.327013+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:44.522406+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49735 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:46.485518+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49737 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:46.507999+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.4 | 49737 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:51.123338+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49741 | 172.67.165.166 | 443 | TCP |
| 2024-12-02T01:38:53.045615+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49741 | 172.67.165.166 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 2, 2024 01:38:27.685672045 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:27.685729027 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:27.685830116 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:27.688946962 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:27.688966990 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:28.956646919 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:28.956741095 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:28.961257935 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:28.961272955 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:28.961534977 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:29.010617018 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:29.231666088 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:29.231710911 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:29.231865883 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:31.172118902 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:31.172208071 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:31.172269106 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:31.174180984 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:31.174200058 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:31.174212933 CET | 49730 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:31.174217939 CET | 443 | 49730 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:31.215580940 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:31.215630054 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:31.215742111 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:31.215971947 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:31.215986013 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:32.429553986 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:32.429647923 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:32.455427885 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:32.455445051 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:32.455634117 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:32.456934929 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:32.456970930 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:32.456995010 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.326906919 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.327276945 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.327310085 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.327368975 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.327399015 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.327460051 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.327874899 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.335015059 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.335077047 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.335083008 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.343492985 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.343543053 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.343548059 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.351922989 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.351974010 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.351979971 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.401232004 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.446844101 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.495017052 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.518536091 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.522347927 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.522427082 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.522428036 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.522485018 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.522568941 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.522582054 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.522595882 CET | 49731 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.522600889 CET | 443 | 49731 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.611804008 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.611846924 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:33.611927032 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.612390041 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:33.612402916 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:34.885466099 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:34.885668039 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:34.887025118 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:34.887047052 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:34.887275934 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:34.888387918 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:34.888511896 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:34.888536930 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:34.888586998 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:34.888596058 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:36.365449905 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:36.365541935 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:36.365655899 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:36.365828991 CET | 49732 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:36.365848064 CET | 443 | 49732 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:36.446300030 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:36.446346998 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:36.446440935 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:36.446722031 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:36.446734905 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:37.708127022 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:37.708235979 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:37.709727049 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:37.709738016 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:37.709948063 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:37.711205959 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:37.711359978 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:37.711389065 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:38.656079054 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:38.656172991 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:38.656229973 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:38.656366110 CET | 49733 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:38.656383991 CET | 443 | 49733 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:38.873358965 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:38.873397112 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:38.873465061 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:38.873780966 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:38.873804092 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:40.177980900 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:40.178096056 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:40.179419994 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:40.179430008 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:40.179651022 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:40.180896044 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:40.181066990 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:40.181098938 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:40.181158066 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:40.181166887 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:41.586301088 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:41.586390018 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:41.586447001 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:41.586580038 CET | 49734 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:41.586596012 CET | 443 | 49734 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:42.063143969 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:42.063211918 CET | 443 | 49735 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:42.063286066 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:42.064157963 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:42.064176083 CET | 443 | 49735 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:43.326937914 CET | 443 | 49735 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:43.327013016 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:43.328695059 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:43.328705072 CET | 443 | 49735 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:43.328933954 CET | 443 | 49735 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:43.330770969 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:43.330857992 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:43.330863953 CET | 443 | 49735 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:44.522412062 CET | 443 | 49735 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:44.522505045 CET | 443 | 49735 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:44.522676945 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:44.522711039 CET | 49735 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:45.153302908 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:45.153343916 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:45.153506041 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:45.153851032 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:45.153866053 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.485426903 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.485517979 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.486715078 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.486723900 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.486924887 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.506270885 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.507038116 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.507071018 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.507307053 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.507339001 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.507441044 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.507479906 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.507595062 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.507626057 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.508013010 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.508045912 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.508268118 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.508291006 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.508299112 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.508308887 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.508474112 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.508497000 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.508518934 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.508658886 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.508697033 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.555334091 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.556493998 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.556529999 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.556550980 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.556567907 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.556596041 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.556607962 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:46.556678057 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:46.556695938 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:49.705836058 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:49.705934048 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:49.706013918 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:49.718247890 CET | 49737 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:49.718271971 CET | 443 | 49737 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:49.803644896 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:49.803683043 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:49.803776026 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:49.807976007 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:49.807988882 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:51.123256922 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:51.123337984 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:51.125962973 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:51.125974894 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:51.126173973 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:51.135421038 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:51.135476112 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:51.135494947 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:53.045620918 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:53.045706034 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:53.045768023 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:53.052877903 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:53.052892923 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:53.052911043 CET | 49741 | 443 | 192.168.2.4 | 172.67.165.166 |
| Dec 2, 2024 01:38:53.052917004 CET | 443 | 49741 | 172.67.165.166 | 192.168.2.4 |
| Dec 2, 2024 01:38:53.166306019 CET | 49744 | 80 | 192.168.2.4 | 147.45.47.81 |
| Dec 2, 2024 01:38:53.286283970 CET | 80 | 49744 | 147.45.47.81 | 192.168.2.4 |
| Dec 2, 2024 01:38:53.286386013 CET | 49744 | 80 | 192.168.2.4 | 147.45.47.81 |
| Dec 2, 2024 01:38:53.286562920 CET | 49744 | 80 | 192.168.2.4 | 147.45.47.81 |
| Dec 2, 2024 01:38:53.406415939 CET | 80 | 49744 | 147.45.47.81 | 192.168.2.4 |
| Dec 2, 2024 01:39:15.221446037 CET | 80 | 49744 | 147.45.47.81 | 192.168.2.4 |
| Dec 2, 2024 01:39:15.221571922 CET | 49744 | 80 | 192.168.2.4 | 147.45.47.81 |
| Dec 2, 2024 01:39:15.221642971 CET | 49744 | 80 | 192.168.2.4 | 147.45.47.81 |
| Dec 2, 2024 01:39:15.341583014 CET | 80 | 49744 | 147.45.47.81 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 2, 2024 01:38:27.518907070 CET | 56890 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 2, 2024 01:38:27.658283949 CET | 53 | 56890 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 2, 2024 01:38:27.518907070 CET | 192.168.2.4 | 1.1.1.1 | 0x4e09 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 2, 2024 01:38:27.658283949 CET | 1.1.1.1 | 192.168.2.4 | 0x4e09 | No error (0) | 172.67.165.166 | A (IP address) | IN (0x0001) | false | ||
| Dec 2, 2024 01:38:27.658283949 CET | 1.1.1.1 | 192.168.2.4 | 0x4e09 | No error (0) | 104.21.16.9 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49744 | 147.45.47.81 | 80 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 2, 2024 01:38:53.286562920 CET | 198 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 172.67.165.166 | 443 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-02 00:38:29 UTC | 265 | OUT | |
| 2024-12-02 00:38:29 UTC | 8 | OUT | |
| 2024-12-02 00:38:31 UTC | 1010 | IN | |
| 2024-12-02 00:38:31 UTC | 7 | IN | |
| 2024-12-02 00:38:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 172.67.165.166 | 443 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-02 00:38:32 UTC | 266 | OUT | |
| 2024-12-02 00:38:32 UTC | 49 | OUT | |
| 2024-12-02 00:38:33 UTC | 1015 | IN | |
| 2024-12-02 00:38:33 UTC | 354 | IN | |
| 2024-12-02 00:38:33 UTC | 901 | IN | |
| 2024-12-02 00:38:33 UTC | 1369 | IN | |
| 2024-12-02 00:38:33 UTC | 1369 | IN | |
| 2024-12-02 00:38:33 UTC | 1369 | IN | |
| 2024-12-02 00:38:33 UTC | 1369 | IN | |
| 2024-12-02 00:38:33 UTC | 859 | IN | |
| 2024-12-02 00:38:33 UTC | 1369 | IN | |
| 2024-12-02 00:38:33 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 172.67.165.166 | 443 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-02 00:38:34 UTC | 282 | OUT | |
| 2024-12-02 00:38:34 UTC | 15331 | OUT | |
| 2024-12-02 00:38:34 UTC | 2822 | OUT | |
| 2024-12-02 00:38:36 UTC | 1016 | IN | |
| 2024-12-02 00:38:36 UTC | 20 | IN | |
| 2024-12-02 00:38:36 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 172.67.165.166 | 443 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-02 00:38:37 UTC | 279 | OUT | |
| 2024-12-02 00:38:37 UTC | 8762 | OUT | |
| 2024-12-02 00:38:38 UTC | 1023 | IN | |
| 2024-12-02 00:38:38 UTC | 20 | IN | |
| 2024-12-02 00:38:38 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 172.67.165.166 | 443 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-02 00:38:40 UTC | 276 | OUT | |
| 2024-12-02 00:38:40 UTC | 15331 | OUT | |
| 2024-12-02 00:38:40 UTC | 5060 | OUT | |
| 2024-12-02 00:38:41 UTC | 1022 | IN | |
| 2024-12-02 00:38:41 UTC | 20 | IN | |
| 2024-12-02 00:38:41 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 172.67.165.166 | 443 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-02 00:38:43 UTC | 281 | OUT | |
| 2024-12-02 00:38:43 UTC | 1244 | OUT | |
| 2024-12-02 00:38:44 UTC | 1021 | IN | |
| 2024-12-02 00:38:44 UTC | 20 | IN | |
| 2024-12-02 00:38:44 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49737 | 172.67.165.166 | 443 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-02 00:38:46 UTC | 282 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:46 UTC | 15331 | OUT | |
| 2024-12-02 00:38:49 UTC | 1031 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49741 | 172.67.165.166 | 443 | 6516 | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-02 00:38:51 UTC | 266 | OUT | |
| 2024-12-02 00:38:51 UTC | 84 | OUT | |
| 2024-12-02 00:38:53 UTC | 1014 | IN | |
| 2024-12-02 00:38:53 UTC | 126 | IN | |
| 2024-12-02 00:38:53 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 19:38:25 |
| Start date: | 01/12/2024 |
| Path: | C:\Users\user\Desktop\tyhkamwdmrg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2f0000 |
| File size: | 1'272'832 bytes |
| MD5 hash: | 949249A7EFCD8C6FD21BC9FFE9ECFDBB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 3.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 70.3% |
| Total number of Nodes: | 239 |
| Total number of Limit Nodes: | 23 |
Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00311320 Relevance: 29.3, Strings: 23, Instructions: 589COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002FB9F0 Relevance: 18.1, Strings: 14, Instructions: 637COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00326CD0 Relevance: 15.2, Strings: 12, Instructions: 238COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00313027 Relevance: 5.4, Strings: 4, Instructions: 413COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AB208 Relevance: 3.9, Strings: 3, Instructions: 184COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039CBD0 Relevance: 3.8, Strings: 3, Instructions: 78COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032E550 Relevance: 2.8, Strings: 2, Instructions: 318COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031C375 Relevance: 1.9, APIs: 1, Instructions: 373COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032DCA0 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032B1C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C634 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329850 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032D8F0 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FACA4 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00316AA0 Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F9200 Relevance: .2, Instructions: 157COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039ACC0 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00374490 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C7F0 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032B160 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002FD408 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003297FB Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00320AFC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031ED13 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002FD3C0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329820 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032494B Relevance: 57.8, Strings: 46, Instructions: 343COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00325E0A Relevance: 57.8, Strings: 46, Instructions: 338COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415498 Relevance: 48.2, Strings: 38, Instructions: 740COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002FB4D0 Relevance: 17.9, Strings: 14, Instructions: 422COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00307229 Relevance: 17.2, Strings: 13, Instructions: 969COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00313BA0 Relevance: 14.9, Strings: 11, Instructions: 1110COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003138D0 Relevance: 13.7, Strings: 10, Instructions: 1172COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00313D10 Relevance: 13.4, Strings: 10, Instructions: 942COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00309DE0 Relevance: 10.4, Strings: 7, Instructions: 1630COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003022F3 Relevance: 9.3, Strings: 7, Instructions: 560COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003058B0 Relevance: 9.1, Strings: 7, Instructions: 330COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F9FB0 Relevance: 9.1, Strings: 7, Instructions: 322COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030C8A0 Relevance: 8.4, Strings: 6, Instructions: 877COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00308B09 Relevance: 7.2, Strings: 5, Instructions: 915COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00318B2F Relevance: 7.1, Strings: 5, Instructions: 826COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044B05C Relevance: 6.9, Strings: 5, Instructions: 623COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003157D9 Relevance: 6.8, Strings: 5, Instructions: 545COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00316220 Relevance: 6.8, Strings: 5, Instructions: 509COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00306BF5 Relevance: 6.6, Strings: 5, Instructions: 340COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440E4C Relevance: 6.4, Strings: 5, Instructions: 179COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00319136 Relevance: 5.7, Strings: 4, Instructions: 718COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00318FDD Relevance: 5.7, Strings: 4, Instructions: 702COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F4DB0 Relevance: 5.5, Strings: 4, Instructions: 505COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00316E50 Relevance: 5.5, Strings: 4, Instructions: 501COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030EBD0 Relevance: 4.7, Strings: 3, Instructions: 997COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030FE50 Relevance: 4.4, Strings: 3, Instructions: 670COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F548B Relevance: 4.4, Strings: 3, Instructions: 651COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00305220 Relevance: 4.4, Strings: 3, Instructions: 622COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00307F07 Relevance: 4.0, Strings: 3, Instructions: 266COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00319830 Relevance: 4.0, Strings: 3, Instructions: 227COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00313598 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00318A40 Relevance: 3.9, Strings: 3, Instructions: 116COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003B6C0C Relevance: 3.4, Strings: 2, Instructions: 905COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329F20 Relevance: 3.1, Strings: 2, Instructions: 625COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031CA25 Relevance: 3.1, Strings: 2, Instructions: 603COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00319B75 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00317B83 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F9B90 Relevance: 2.9, Strings: 2, Instructions: 391COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AA04 Relevance: 2.9, Strings: 2, Instructions: 390COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032E250 Relevance: 2.8, Strings: 2, Instructions: 309COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DA18 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032DF80 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00315F30 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435958 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030E9A0 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00307FD3 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003076F4 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030C0FE Relevance: 2.6, Strings: 2, Instructions: 123COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00315C50 Relevance: 2.6, Strings: 2, Instructions: 84COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030D38F Relevance: 2.0, Strings: 1, Instructions: 734COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032CBC0 Relevance: 1.9, Strings: 1, Instructions: 616COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00306324 Relevance: 1.8, Strings: 1, Instructions: 574COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421EB0 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00311E70 Relevance: 1.7, Strings: 1, Instructions: 440COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031AB40 Relevance: 1.7, Strings: 1, Instructions: 409COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044C8C4 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032A660 Relevance: 1.6, Strings: 1, Instructions: 358COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F5790 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031786C Relevance: 1.6, Strings: 1, Instructions: 352COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EFF0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AFF40 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002FDF60 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030DEE0 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BCF8 Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C180 Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C58C Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BCA0 Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BC50 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BF04 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C028 Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C3F4 Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C5EC Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C070 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C0B0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C1E0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BF74 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BFE8 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C338 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C558 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BBB0 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BDE0 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BFB4 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F66F0 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C27C Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BD60 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039BF54 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C2C4 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0039C53C Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00384FF0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442434 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031FF40 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031BA8B Relevance: 1.4, Strings: 1, Instructions: 198COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FA264 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FA600 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FAA40 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F9268 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329A80 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030B72D Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329E70 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329BA0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044913C Relevance: .7, Instructions: 681COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F7260 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F2FC0 Relevance: .7, Instructions: 657COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F7D70 Relevance: .6, Instructions: 623COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F39C0 Relevance: .6, Instructions: 622COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00454C38 Relevance: .6, Instructions: 620COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F60D0 Relevance: .5, Instructions: 539COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00419AC8 Relevance: .5, Instructions: 521COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D7C28 Relevance: .4, Instructions: 405COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030E220 Relevance: .3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F6DB0 Relevance: .3, Instructions: 314COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003C882C Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435E80 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031F3DB Relevance: .3, Instructions: 264COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0038F97C Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00327940 Relevance: .2, Instructions: 244COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00311C00 Relevance: .2, Instructions: 244COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044880C Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030E630 Relevance: .2, Instructions: 232COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031A620 Relevance: .2, Instructions: 230COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044F01C Relevance: .2, Instructions: 222COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003ACBB0 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00321700 Relevance: .2, Instructions: 213COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031E810 Relevance: .2, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F23C0 Relevance: .2, Instructions: 207COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031BA45 Relevance: .2, Instructions: 194COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031E4D0 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00326800 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044ED68 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003265A0 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031A3D0 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F7AC8 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033383F Relevance: .2, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032C890 Relevance: .2, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00453048 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0030BF13 Relevance: .2, Instructions: 151COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003326C9 Relevance: .1, Instructions: 139COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F7D94 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F7F24 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033388B Relevance: .1, Instructions: 121COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00327C00 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00327E70 Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002FF754 Relevance: .1, Instructions: 99COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032C980 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F1F20 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F93F0 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00319079 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00324050 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0031A580 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002F2C70 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002FA85B Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032B200 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|