Edit tour
Windows
Analysis Report
IBAN payment confirmation.exe
Overview
General Information
| Sample name: | IBAN payment confirmation.exe |
| Analysis ID: | 1567427 |
| MD5: | b134b557b86a160168de0c56ba982ea6 |
| SHA1: | 7c6e7f286bc9de5bd66a5cf4713d7938e78ab3ae |
| SHA256: | 5b67270f1f8cfdbb96cfa359f9d9caa35fcfa9538ef8a3b27fff7b7001c3584c |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
GuLoader, MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Initial sample is a PE file and has a suspicious name
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
IBAN payment confirmation.exe (PID: 3432 cmdline: "C:\Users\ user\Deskt op\IBAN pa yment conf irmation.e xe" MD5: B134B557B86A160168DE0C56BA982EA6) - IBAN payment confirmation.exe (PID: 3824 cmdline:
"C:\Users\ user\Deskt op\IBAN pa yment conf irmation.e xe" MD5: B134B557B86A160168DE0C56BA982EA6)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"C2 url": "https://api.telegram.org/bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendMessage"}{"EXfil Mode": "Telegram", "Telegram Token": "7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s", "Telegram Chatid": "2065242915"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| Click to see the 2 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-03T15:20:36.970827+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49903 | 149.154.167.220 | 443 | TCP |
| 2024-12-03T15:20:40.631481+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49913 | 149.154.167.220 | 443 | TCP |
| 2024-12-03T15:20:45.275440+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49926 | 149.154.167.220 | 443 | TCP |
| 2024-12-03T15:20:48.795846+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49935 | 149.154.167.220 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-03T15:20:26.610765+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49862 | 132.226.247.73 | 80 | TCP |
| 2024-12-03T15:20:34.829536+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49862 | 132.226.247.73 | 80 | TCP |
| 2024-12-03T15:20:38.657701+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49909 | 132.226.247.73 | 80 | TCP |
| 2024-12-03T15:20:43.220296+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49919 | 132.226.247.73 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-03T15:20:11.187457+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49841 | 172.217.19.174 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 11_2_3983B4C0 | |
| Source: | Code function: | 11_2_3983BCB8 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00405772 | |
| Source: | Code function: | 0_2_0040622D | |
| Source: | Code function: | 0_2_00402770 | |
| Source: | Code function: | 11_2_00402770 | |
| Source: | Code function: | 11_2_00405772 | |
| Source: | Code function: | 11_2_0040622D | |
| Source: | Code function: | 11_2_0011E6A8 | |
| Source: | Code function: | 11_2_0011EC58 | |
| Source: | Code function: | 11_2_0011EFAF | |
| Source: | Code function: | 11_2_3983A928 | |
| Source: | Code function: | 11_2_3983C628 | |
| Source: | Code function: | 11_2_3983EFA0 | |
| Source: | Code function: | 11_2_398397C8 | |
| Source: | Code function: | 11_2_3983C1D0 | |
| Source: | Code function: | 11_2_3983F3F8 | |
| Source: | Code function: | 11_2_3983D330 | |
| Source: | Code function: | 11_2_3983EB48 | |
| Source: | Code function: | 11_2_39839370 | |
| Source: | Code function: | 11_2_3983BD78 | |
| Source: | Code function: | 11_2_3983CA80 | |
| Source: | Code function: | 11_2_3983A4D0 | |
| Source: | Code function: | 11_2_3983CED8 | |
| Source: | Code function: | 11_2_3983E6F0 | |
| Source: | Code function: | 11_2_39839C20 | |
| Source: | Code function: | 11_2_3983F850 | |
| Source: | Code function: | 11_2_3983A078 | |
| Source: | Code function: | 11_2_39C998D0 | |
| Source: | Code function: | 11_2_39C96130 | |
| Source: | Code function: | 11_2_39C96130 | |
| Source: | Code function: | 11_2_39C939F0 | |
| Source: | Code function: | 11_2_39C908F0 | |
| Source: | Code function: | 11_2_39C92890 | |
| Source: | Code function: | 11_2_39C94B50 | |
| Source: | Code function: | 11_2_39C91A50 | |
| Source: | Code function: | 11_2_39C90D48 | |
| Source: | Code function: | 11_2_39C92CE8 | |
| Source: | Code function: | 11_2_39C94FA8 | |
| Source: | Code function: | 11_2_39C91EA8 | |
| Source: | Code function: | 11_2_39C93E48 | |
| Source: | Code function: | 11_2_39C911A0 | |
| Source: | Code function: | 11_2_39C93140 | |
| Source: | Code function: | 11_2_39C90040 | |
| Source: | Code function: | 11_2_39C92300 | |
| Source: | Code function: | 11_2_39C942A0 | |
| Source: | Code function: | 11_2_39C915F8 | |
| Source: | Code function: | 11_2_39C93598 | |
| Source: | Code function: | 11_2_39C90498 | |
| Source: | Code function: | 11_2_39C9A6C7 | |
| Source: | Code function: | 11_2_39C946F8 | |
| Source: | Code function: | 11_2_39C9563C | |
| Source: | Code function: | 11_2_3A20E710 | |
| Source: | Code function: | 11_2_3A20F25E | |
| Source: | Code function: | 11_2_3A20F520 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004052D3 | |
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_0040335A | |
| Source: | Code function: | 11_2_0040335A | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00404B10 | |
| Source: | Code function: | 0_2_0040653F | |
| Source: | Code function: | 11_2_00404B10 | |
| Source: | Code function: | 11_2_0040653F | |
| Source: | Code function: | 11_2_00114328 | |
| Source: | Code function: | 11_2_0011E6A8 | |
| Source: | Code function: | 11_2_001127B9 | |
| Source: | Code function: | 11_2_00118DA0 | |
| Source: | Code function: | 11_2_00115968 | |
| Source: | Code function: | 11_2_00115F90 | |
| Source: | Code function: | 11_2_0011E6A5 | |
| Source: | Code function: | 11_2_00112DD1 | |
| Source: | Code function: | 11_2_3983AF80 | |
| Source: | Code function: | 11_2_3983A928 | |
| Source: | Code function: | 11_2_39835B28 | |
| Source: | Code function: | 11_2_39831608 | |
| Source: | Code function: | 11_2_3983C628 | |
| Source: | Code function: | 11_2_39835180 | |
| Source: | Code function: | 11_2_3983D788 | |
| Source: | Code function: | 11_2_3983EF90 | |
| Source: | Code function: | 11_2_3983EFA0 | |
| Source: | Code function: | 11_2_398397B9 | |
| Source: | Code function: | 11_2_3983C1C0 | |
| Source: | Code function: | 11_2_398397C8 | |
| Source: | Code function: | 11_2_3983C1D0 | |
| Source: | Code function: | 11_2_3983F3EC | |
| Source: | Code function: | 11_2_3983F3F8 | |
| Source: | Code function: | 11_2_398315FC | |
| Source: | Code function: | 11_2_39835908 | |
| Source: | Code function: | 11_2_3983A919 | |
| Source: | Code function: | 11_2_3983D321 | |
| Source: | Code function: | 11_2_3983D330 | |
| Source: | Code function: | 11_2_3983EB43 | |
| Source: | Code function: | 11_2_3983EB48 | |
| Source: | Code function: | 11_2_39839361 | |
| Source: | Code function: | 11_2_3983BD68 | |
| Source: | Code function: | 11_2_39839370 | |
| Source: | Code function: | 11_2_3983BD78 | |
| Source: | Code function: | 11_2_3983CA80 | |
| Source: | Code function: | 11_2_39834CAB | |
| Source: | Code function: | 11_2_3983A4C0 | |
| Source: | Code function: | 11_2_3983CEC8 | |
| Source: | Code function: | 11_2_3983A4D0 | |
| Source: | Code function: | 11_2_3983CED8 | |
| Source: | Code function: | 11_2_3983E6ED | |
| Source: | Code function: | 11_2_3983E6F0 | |
| Source: | Code function: | 11_2_398360FE | |
| Source: | Code function: | 11_2_39839C11 | |
| Source: | Code function: | 11_2_3983C618 | |
| Source: | Code function: | 11_2_39839C20 | |
| Source: | Code function: | 11_2_3983F844 | |
| Source: | Code function: | 11_2_3983F850 | |
| Source: | Code function: | 11_2_3983A068 | |
| Source: | Code function: | 11_2_3983CA70 | |
| Source: | Code function: | 11_2_3983A078 | |
| Source: | Code function: | 11_2_3983AE78 | |
| Source: | Code function: | 11_2_39C998D0 | |
| Source: | Code function: | 11_2_39C97E40 | |
| Source: | Code function: | 11_2_39C971A8 | |
| Source: | Code function: | 11_2_39C96130 | |
| Source: | Code function: | 11_2_39C99568 | |
| Source: | Code function: | 11_2_39C98490 | |
| Source: | Code function: | 11_2_39C977F0 | |
| Source: | Code function: | 11_2_39C939EC | |
| Source: | Code function: | 11_2_39C939F0 | |
| Source: | Code function: | 11_2_39C908E4 | |
| Source: | Code function: | 11_2_39C908F0 | |
| Source: | Code function: | 11_2_39C92890 | |
| Source: | Code function: | 11_2_39C9287F | |
| Source: | Code function: | 11_2_39C94B48 | |
| Source: | Code function: | 11_2_39C94B50 | |
| Source: | Code function: | 11_2_39C98AD8 | |
| Source: | Code function: | 11_2_39C98AD5 | |
| Source: | Code function: | 11_2_39C91A44 | |
| Source: | Code function: | 11_2_39C91A50 | |
| Source: | Code function: | 11_2_39C90D48 | |
| Source: | Code function: | 11_2_39C90D38 | |
| Source: | Code function: | 11_2_39C92CD8 | |
| Source: | Code function: | 11_2_39C92CE8 | |
| Source: | Code function: | 11_2_39C94FA8 | |
| Source: | Code function: | 11_2_39C94FA4 | |
| Source: | Code function: | 11_2_39C91E98 | |
| Source: | Code function: | 11_2_39C91EA8 | |
| Source: | Code function: | 11_2_39C93E48 | |
| Source: | Code function: | 11_2_39C93E38 | |
| Source: | Code function: | 11_2_39C97E3B | |
| Source: | Code function: | 11_2_39C91190 | |
| Source: | Code function: | 11_2_39C911A0 | |
| Source: | Code function: | 11_2_39C93140 | |
| Source: | Code function: | 11_2_39C96123 | |
| Source: | Code function: | 11_2_39C93130 | |
| Source: | Code function: | 11_2_39C90040 | |
| Source: | Code function: | 11_2_39C90006 | |
| Source: | Code function: | 11_2_39C9E020 | |
| Source: | Code function: | 11_2_39C9E030 | |
| Source: | Code function: | 11_2_39C92300 | |
| Source: | Code function: | 11_2_39C922F3 | |
| Source: | Code function: | 11_2_39C94293 | |
| Source: | Code function: | 11_2_39C942A0 | |
| Source: | Code function: | 11_2_39C915F8 | |
| Source: | Code function: | 11_2_39C915F0 | |
| Source: | Code function: | 11_2_39C93588 | |
| Source: | Code function: | 11_2_39C93598 | |
| Source: | Code function: | 11_2_39C90488 | |
| Source: | Code function: | 11_2_39C9848C | |
| Source: | Code function: | 11_2_39C90498 | |
| Source: | Code function: | 11_2_39C977EC | |
| Source: | Code function: | 11_2_39C946F8 | |
| Source: | Code function: | 11_2_39C946F4 | |
| Source: | Code function: | 11_2_39C9563C | |
| Source: | Code function: | 11_2_3A206E80 | |
| Source: | Code function: | 11_2_3A20E710 | |
| Source: | Code function: | 11_2_3A20D558 | |
| Source: | Code function: | 11_2_3A2080E8 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004045CA | |
| Source: | Code function: | 0_2_0040206A | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_00406254 | |
| Source: | Code function: | 0_2_10002DCE | |
| Source: | Code function: | 11_2_39C939EA | |
| Source: | Code function: | 11_2_39C939E6 | |
| Source: | Code function: | 11_2_39C94F9E | |
| Source: | Code function: | 11_2_39C94FA2 | |
| Source: | Code function: | 11_2_39C97E39 | |
| Source: | Code function: | 11_2_39C94292 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405772 | |
| Source: | Code function: | 0_2_0040622D | |
| Source: | Code function: | 0_2_00402770 | |
| Source: | Code function: | 11_2_00402770 | |
| Source: | Code function: | 11_2_00405772 | |
| Source: | Code function: | 11_2_0040622D | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-4798 | ||
| Source: | API call chain: | graph_0-4803 | ||
| Source: | Code function: | 0_2_00406254 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405F0C | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 11 Process Injection | 11 Masquerading | 1 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Email Collection | 1 Web Service | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 31 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 31 Virtualization/Sandbox Evasion | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 1 Data from Local System | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | 1 Clipboard Data | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 3 Obfuscated Files or Information | Cached Domain Credentials | 215 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 16% | ReversingLabs | |||
| 100% | Avira | HEUR/AGEN.1337946 |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 172.217.19.174 | true | false | high | |
| drive.usercontent.google.com | 142.250.181.1 | true | false | high | |
| reallyfreegeoip.org | 104.21.67.152 | true | false | high | |
| api.telegram.org | 149.154.167.220 | true | false | high | |
| checkip.dyndns.com | 132.226.247.73 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
| 142.250.181.1 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 104.21.67.152 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 172.217.19.174 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 132.226.247.73 | checkip.dyndns.com | United States | 16989 | UTMEMUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1567427 |
| Start date and time: | 2024-12-03 15:17:49 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 24s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 14 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | IBAN payment confirmation.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/8@5/5 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: IBAN payment confirmation.exe
| Time | Type | Description |
|---|---|---|
| 10:42:37 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 149.154.167.220 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | ||
| Get hash | malicious | DarkCloud | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Stealerium | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | HTMLPhisher | Browse | |||
| Get hash | malicious | HTMLPhisher | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| 104.21.67.152 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | ||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse | |||
| 132.226.247.73 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| reallyfreegeoip.org | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| api.telegram.org | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | DarkCloud | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Stealerium | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | DarkCloud | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Stealerium | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| UTMEMUS | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | KnowBe4 | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | DarkCloud | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsl71F.tmp\System.dll | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | Azorult, GuLoader | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader | Browse |
| Process: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1175563 |
| Entropy (8bit): | 3.389619853796875 |
| Encrypted: | false |
| SSDEEP: | 12288:M8rRdGrEHQWmxJZy7gWKJkJz+uQyWpKJ:zfqmIBJkJatpK |
| MD5: | E9467C0EB5305E8D1A4EE735AEC4A25D |
| SHA1: | 7E7AD95671E2E4C797D6BCB7DB014F453B4AF0C7 |
| SHA-256: | 3B4CDB0644298528573EB3184C4CE3B7AF837D076AC21CDB070C7535974337A6 |
| SHA-512: | 1BCB1E7209B190699397F910F853F025D87C0E1A9387CD6E87424EFCAAFE95BB535C530B15EDCAD01864DB3146C0D7EFE8E350476434B8DCFC6B6080A2E323B2 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 11264 |
| Entropy (8bit): | 5.801108840712148 |
| Encrypted: | false |
| SSDEEP: | 192:e/b2HS5ih/7i00eWz9T7PH6yeFcQMI5+Vw+EXWZ77dslFZk:ewSUmWw9T7MmnI5+/F7Kdk |
| MD5: | FC90DFB694D0E17B013D6F818BCE41B0 |
| SHA1: | 3243969886D640AF3BFA442728B9F0DFF9D5F5B0 |
| SHA-256: | 7FE77CA13121A113C59630A3DBA0C8AAA6372E8082393274DA8F8608C4CE4528 |
| SHA-512: | 324F13AA7A33C6408E2A57C3484D1691ECEE7C3C1366DE2BB8978C8DC66B18425D8CAB5A32D1702C13C43703E36148A022263DE7166AFDCE141DA2B01169F1C6 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Inclinator\Emalje.kap
Download File
| Process: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 161977 |
| Entropy (8bit): | 1.2465706431701635 |
| Encrypted: | false |
| SSDEEP: | 768:j91kr2E4uLB4rAvVSJUxZOKLuPYUIlh6njQqVK+P7T6r6hI4W7lD1jBCgUpo:94irAZug+TLg1cpo |
| MD5: | 818D9B577C6A2CCB8C8D753C89B0AEED |
| SHA1: | 1912E60E75B47E0AC0B0ACDB2B320F0B36D3CE22 |
| SHA-256: | B53DFB245A8D5A0F0FAEEC7E8B4AE273522AC29FD29B33608F9BA7F9ADB90279 |
| SHA-512: | 91993AA2E3E2666A3945886101B2B670CD3B0D76CF3CFFF3684DCB310FE324A1C650FAB5D5D00B8CFA49B5A7713FE2DBBA6DC2D8BB8DAC7A169495E6694CE4C6 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Mixerudstyr\Fertiliserer.Ban254
Download File
| Process: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29986 |
| Entropy (8bit): | 4.560622606474619 |
| Encrypted: | false |
| SSDEEP: | 768:Pgio3spWQ6sJqPBXqn9IZUaYdJM8qm06/:uspa3g9IZU51Vl |
| MD5: | 1D3EA1813CCF77D02EB0FA2A422D59C2 |
| SHA1: | 243C701DA58EE2E5BA413CBF20A4398042F05D35 |
| SHA-256: | 23274FE6F3C10490E791712D6EE69019919C6203CD1177AD326A1965A80A2E9B |
| SHA-512: | 72B9B883E660364782B87CE926631D424C2065B6F64EE5AC4E866FB949A7CFA47E4DD5C15B1F21900DC3E3C1E512F94B746E1582FFBEE36EE24C8D1AAE8D7D1C |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Mixerudstyr\img2.jpg
Download File
| Process: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2929 |
| Entropy (8bit): | 7.418910042244289 |
| Encrypted: | false |
| SSDEEP: | 48:j2XBhBOaFxHfEaq1kk1YunCRbvwxhjAxnyHIvR4SnHP7oNLpLR8Fqhr:j2XBv9Fx2kkO7RihjlovpnHPCpaQ1 |
| MD5: | 49DAF4E74443D8502F3229468615185F |
| SHA1: | 9BB41BF5F382EE315893366F559FA26D57A4CD5F |
| SHA-256: | E5EE495A89E55467DB6A396F012EDB6A71D2E762CFC7FC6846FE7259528BF168 |
| SHA-512: | EE9ABC6A19215FED64584BA24736ECBA24139CD03A75530FF351C99A25628410472A28F4EE08E87CE1F75DC79396A2A9C1AC79C399720C320437BC18993B561A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Mixerudstyr\pinrail.whe
Download File
| Process: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 461378 |
| Entropy (8bit): | 1.252059381950645 |
| Encrypted: | false |
| SSDEEP: | 1536:s3tr+hilKd11tUzcxZg7SBobbR5FF7b7IvSog:sRVmQc3u9F7b76 |
| MD5: | 3AD2FE4EA13486258EADDD1E5940A6D7 |
| SHA1: | 06D0468A125D754D4534C182D79444DFB7A1CF61 |
| SHA-256: | E4C5F20595C446D20C978CF7B486579BA2FFC17E64B940733B40C89DF4331319 |
| SHA-512: | 82328E01492BDB8B23555CB369279A5352B35E0B51A4A4AC88D9F9285BBDABA627FE01139B4F9669847252D5A59FC512B2463A364EFD5C33B83309D6A8985D59 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Mixerudstyr\unyouthfully.ske
Download File
| Process: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 225641 |
| Entropy (8bit): | 1.2362366155163755 |
| Encrypted: | false |
| SSDEEP: | 768:HcPiBl7QD/ad4B+etLBBF64vscOIBiMFYnfBc1TS/HVtHlY4bDzZkmNQyFY670Fn:QaxOPt/G9V4yf7P/zZkX00b/h |
| MD5: | 94C4B93474D07658FCBD411A20E68532 |
| SHA1: | 66421117EB902B48D39A1514C88C868394085FCF |
| SHA-256: | 50B1D7356F0CC22F2A9AE93A7CC9738C6BC0907724ACDB85F68F594333B706DC |
| SHA-512: | BC1C40FF5B9FD71590E9B3E71D7B58A46E8AFBE56DFBD22C39F5DC0952ACEDC96F2BC4D8428EA0BCD75D67BD32F2B095585925CD8141063801FB128EA46F7471 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Sawmont.tho
Download File
| Process: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 267270 |
| Entropy (8bit): | 7.809499666102177 |
| Encrypted: | false |
| SSDEEP: | 6144:oGjnsVygU2HQWmx3h7D9/aVg4cx+1nVxOWKJkJz9nHA7k2s:9rEHQWmxJZy7gWKJkJz+s |
| MD5: | B94CC3E728075F4C42FED48803C02F56 |
| SHA1: | 7889BE1858ECD63B074214928821AF43D1AB4E3A |
| SHA-256: | DF06C08893B9914C8B135C27D31D7ECB624B503C0C0EAE722E9A1E2C3BB18445 |
| SHA-512: | EC761E7DC0CB9DFA26DF933993FED93F1BEBF59CC6E65FDB48C8D36066D377F20B344C736B3594D76A41A085E764E4DEE20C143D3A47BF877D3900DEB4657DD2 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.036021399095367 |
| TrID: |
|
| File name: | IBAN payment confirmation.exe |
| File size: | 715'594 bytes |
| MD5: | b134b557b86a160168de0c56ba982ea6 |
| SHA1: | 7c6e7f286bc9de5bd66a5cf4713d7938e78ab3ae |
| SHA256: | 5b67270f1f8cfdbb96cfa359f9d9caa35fcfa9538ef8a3b27fff7b7001c3584c |
| SHA512: | c0f192057f8a8f70508338ebf08637c0bbd36b86189e35f240a602da647617dddb2c8c8e8d7e4c0301d28263c29902147190470426b1e956950bee667de1a3e6 |
| SSDEEP: | 12288:xlYZmcRHOkPavoNvBCkiVbFLTw3qH+ehqv5UR1aIoY:UmcdOkS8vBPi9KmqvSRgQ |
| TLSH: | 39E4E02F27164046FE9415F2B8A3DD47A1F9FEBC116973496CA2FE1790B7B70394A088 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L.....oS.................`...*......Z3.......p....@ |
 | |
| Icon Hash: | 058cc0e474936126 |
| Entrypoint: | 0x40335a |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x536FD79B [Sun May 11 20:03:39 2014 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e221f4f7d36469d53810a4b5f9fc8966 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+14h], ebp |
| mov dword ptr [esp+10h], 00409230h |
| mov dword ptr [esp+1Ch], ebp |
| call dword ptr [00407034h] |
| push 00008001h |
| call dword ptr [004070BCh] |
| push ebp |
| call dword ptr [004072ACh] |
| push 00000008h |
| mov dword ptr [00429298h], eax |
| call 00007F65A850098Ch |
| mov dword ptr [004291E4h], eax |
| push ebp |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebp |
| push 00420690h |
| call dword ptr [0040717Ch] |
| push 0040937Ch |
| push 004281E0h |
| call 00007F65A85005F7h |
| call dword ptr [00407134h] |
| mov ebx, 00434000h |
| push eax |
| push ebx |
| call 00007F65A85005E5h |
| push ebp |
| call dword ptr [0040710Ch] |
| cmp word ptr [00434000h], 0022h |
| mov dword ptr [004291E0h], eax |
| mov eax, ebx |
| jne 00007F65A84FDADAh |
| push 00000022h |
| mov eax, 00434002h |
| pop esi |
| push esi |
| push eax |
| call 00007F65A8500036h |
| push eax |
| call dword ptr [00407240h] |
| mov dword ptr [esp+18h], eax |
| jmp 00007F65A84FDB9Eh |
| push 00000020h |
| pop edx |
| cmp cx, dx |
| jne 00007F65A84FDAD9h |
| inc eax |
| inc eax |
| cmp word ptr [eax], dx |
| je 00007F65A84FDACBh |
| add word ptr [eax], 0000h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7494 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5f000 | 0x43188 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x2b8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5e68 | 0x6000 | 2f6554958e1a5093777de617d6e0bffc | False | 0.6566162109375 | data | 6.419811957742583 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7000 | 0x1354 | 0x1400 | 2222fe44ebbadbc32af32dfc9c88e48e | False | 0.4306640625 | data | 5.037511188789184 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x202d8 | 0x600 | 9587277f9a9b39e2caf86eae07909d87 | False | 0.4733072916666667 | data | 3.757932017065988 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x2a000 | 0x35000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x5f000 | 0x43188 | 0x43200 | ad79ab7bc0418c21ba04b90eb50d4a0c | False | 0.18500494646182494 | data | 4.605797713668011 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x5f2b0 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x5f618 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 270336 | English | United States | 0.1810552711779152 |
| RT_DIALOG | 0xa1640 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0xa1788 | 0x13c | data | English | United States | 0.5506329113924051 |
| RT_DIALOG | 0xa18c8 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0xa19c8 | 0x11c | data | English | United States | 0.6091549295774648 |
| RT_DIALOG | 0xa1ae8 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0xa1bb0 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0xa1c10 | 0x14 | data | English | United States | 1.1 |
| RT_VERSION | 0xa1c28 | 0x258 | data | English | United States | 0.5216666666666666 |
| RT_MANIFEST | 0xa1e80 | 0x305 | XML 1.0 document, ASCII text, with very long lines (773), with no line terminators | English | United States | 0.5614489003880984 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte |
| USER32.dll | EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
| ADVAPI32.dll | RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-03T15:20:11.187457+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.7 | 49841 | 172.217.19.174 | 443 | TCP |
| 2024-12-03T15:20:26.610765+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49862 | 132.226.247.73 | 80 | TCP |
| 2024-12-03T15:20:34.829536+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49862 | 132.226.247.73 | 80 | TCP |
| 2024-12-03T15:20:36.970827+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.7 | 49903 | 149.154.167.220 | 443 | TCP |
| 2024-12-03T15:20:38.657701+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49909 | 132.226.247.73 | 80 | TCP |
| 2024-12-03T15:20:40.631481+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.7 | 49913 | 149.154.167.220 | 443 | TCP |
| 2024-12-03T15:20:43.220296+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49919 | 132.226.247.73 | 80 | TCP |
| 2024-12-03T15:20:45.275440+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.7 | 49926 | 149.154.167.220 | 443 | TCP |
| 2024-12-03T15:20:48.795846+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.7 | 49935 | 149.154.167.220 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 3, 2024 15:20:08.454485893 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:08.454507113 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:08.454580069 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:08.466970921 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:08.466984987 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:10.258627892 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:10.258781910 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:10.259515047 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:10.259602070 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:10.345861912 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:10.345892906 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:10.346281052 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:10.348213911 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:10.352227926 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:10.399327993 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:11.187448025 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:11.187581062 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:11.187602997 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:11.187650919 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:11.187911034 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:11.187947035 CET | 443 | 49841 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 15:20:11.187998056 CET | 49841 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 15:20:11.342762947 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:11.342813969 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:11.342976093 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:11.343244076 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:11.343256950 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:13.044450045 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:13.044538975 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:13.048747063 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:13.048757076 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:13.049067020 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:13.049122095 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:13.056226015 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:13.103329897 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.793368101 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.793507099 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:15.806154013 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.806277990 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:15.913569927 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.913695097 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:15.913712025 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.913758039 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:15.917422056 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.917511940 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:15.985066891 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.985188961 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:15.987289906 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.987337112 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:15.995471001 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.995547056 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:15.996421099 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:15.996618986 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.004441977 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.004523039 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.005791903 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.005851030 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.014734983 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.014837027 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.015372992 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.015440941 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.023602009 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.023660898 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.028273106 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.028351068 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.032397985 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.032458067 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.041783094 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.041851044 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.045248985 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.045308113 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.055201054 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.055247068 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.058274031 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.058346987 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.068911076 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.068968058 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.072041035 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.072089911 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.083297968 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.083359957 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.086692095 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.086747885 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.096215010 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.096287966 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.105180025 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.105251074 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.116189003 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.116245985 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.116293907 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.116338015 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.123539925 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.123606920 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.145397902 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.145462036 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.145534992 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.145580053 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.176351070 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.176469088 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.176485062 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.176536083 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.178570986 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.178628922 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.183356047 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.183408976 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.183588028 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.183629990 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.186542988 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.186625004 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.186660051 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.186709881 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.198472023 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.198529959 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.198635101 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.198678017 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.198688030 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.198730946 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.209045887 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.209105015 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.209289074 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.209333897 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.219990969 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.220163107 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.220181942 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.220222950 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.229932070 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.230030060 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.230093956 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.230165005 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.240149021 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.240221977 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.240328074 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.240372896 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.250508070 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.250574112 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.250659943 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.250705957 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.260258913 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.260344028 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.260375023 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.260413885 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.270427942 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.270493984 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.270649910 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.270690918 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.280601025 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.280781031 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.281192064 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.281244040 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.290050983 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.290101051 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.290236950 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.290282011 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.299141884 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.299206972 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.299401999 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.299446106 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.309334993 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.309407949 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.309417963 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.309463024 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.317121029 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.317229986 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.317238092 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.317285061 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.317972898 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.318026066 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.318077087 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.318113089 CET | 443 | 49850 | 142.250.181.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.318161964 CET | 49850 | 443 | 192.168.2.7 | 142.250.181.1 |
| Dec 3, 2024 15:20:16.939457893 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:17.063390970 CET | 80 | 49862 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:17.063541889 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:17.064028025 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:17.184056044 CET | 80 | 49862 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:24.118107080 CET | 80 | 49862 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:24.122697115 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:24.243370056 CET | 80 | 49862 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:26.556296110 CET | 80 | 49862 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:26.610764980 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:27.016796112 CET | 49886 | 443 | 192.168.2.7 | 104.21.67.152 |
| Dec 3, 2024 15:20:27.016849995 CET | 443 | 49886 | 104.21.67.152 | 192.168.2.7 |
| Dec 3, 2024 15:20:27.017010927 CET | 49886 | 443 | 192.168.2.7 | 104.21.67.152 |
| Dec 3, 2024 15:20:27.019627094 CET | 49886 | 443 | 192.168.2.7 | 104.21.67.152 |
| Dec 3, 2024 15:20:27.019642115 CET | 443 | 49886 | 104.21.67.152 | 192.168.2.7 |
| Dec 3, 2024 15:20:28.282742977 CET | 443 | 49886 | 104.21.67.152 | 192.168.2.7 |
| Dec 3, 2024 15:20:28.282818079 CET | 49886 | 443 | 192.168.2.7 | 104.21.67.152 |
| Dec 3, 2024 15:20:28.311359882 CET | 49886 | 443 | 192.168.2.7 | 104.21.67.152 |
| Dec 3, 2024 15:20:28.311392069 CET | 443 | 49886 | 104.21.67.152 | 192.168.2.7 |
| Dec 3, 2024 15:20:28.311865091 CET | 443 | 49886 | 104.21.67.152 | 192.168.2.7 |
| Dec 3, 2024 15:20:28.349675894 CET | 49886 | 443 | 192.168.2.7 | 104.21.67.152 |
| Dec 3, 2024 15:20:28.395339966 CET | 443 | 49886 | 104.21.67.152 | 192.168.2.7 |
| Dec 3, 2024 15:20:28.751121998 CET | 443 | 49886 | 104.21.67.152 | 192.168.2.7 |
| Dec 3, 2024 15:20:28.751182079 CET | 443 | 49886 | 104.21.67.152 | 192.168.2.7 |
| Dec 3, 2024 15:20:28.751220942 CET | 49886 | 443 | 192.168.2.7 | 104.21.67.152 |
| Dec 3, 2024 15:20:28.757916927 CET | 49886 | 443 | 192.168.2.7 | 104.21.67.152 |
| Dec 3, 2024 15:20:34.342398882 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:34.462685108 CET | 80 | 49862 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:34.775563002 CET | 80 | 49862 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:34.829535961 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:34.918885946 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:34.918942928 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:34.919023991 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:34.919565916 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:34.919576883 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:36.349878073 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:36.350012064 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:36.351985931 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:36.352008104 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:36.352258921 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:36.353740931 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:36.399343967 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:36.399590015 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:36.399610996 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:36.970879078 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:36.970971107 CET | 443 | 49903 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:36.971143961 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:36.975738049 CET | 49903 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:37.127192974 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:37.128339052 CET | 49909 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:37.248030901 CET | 80 | 49862 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:37.248126030 CET | 49862 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:37.248703003 CET | 80 | 49909 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:37.248892069 CET | 49909 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:37.248975992 CET | 49909 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:37.370374918 CET | 80 | 49909 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:38.604399920 CET | 80 | 49909 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:38.605995893 CET | 49913 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:38.606038094 CET | 443 | 49913 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:38.606112957 CET | 49913 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:38.606797934 CET | 49913 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:38.606812000 CET | 443 | 49913 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:38.657701015 CET | 49909 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:40.013942957 CET | 443 | 49913 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:40.015677929 CET | 49913 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:40.015698910 CET | 443 | 49913 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:40.015758038 CET | 49913 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:40.015767097 CET | 443 | 49913 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:40.631561995 CET | 443 | 49913 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:40.631644964 CET | 443 | 49913 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:40.631719112 CET | 49913 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:40.632333994 CET | 49913 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:40.636028051 CET | 49909 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:40.637398958 CET | 49919 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:40.756484032 CET | 80 | 49909 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:40.756606102 CET | 49909 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:40.757989883 CET | 80 | 49919 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:40.758080006 CET | 49919 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:40.758305073 CET | 49919 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:40.878261089 CET | 80 | 49919 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:43.170118093 CET | 80 | 49919 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:43.171426058 CET | 49926 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:43.171456099 CET | 443 | 49926 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:43.171514034 CET | 49926 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:43.171797991 CET | 49926 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:43.171807051 CET | 443 | 49926 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:43.220295906 CET | 49919 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:44.581855059 CET | 443 | 49926 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:44.583678961 CET | 49926 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:44.583709002 CET | 443 | 49926 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:44.583782911 CET | 49926 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:44.583792925 CET | 443 | 49926 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:45.275460005 CET | 443 | 49926 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:45.275594950 CET | 443 | 49926 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:45.275644064 CET | 49926 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:45.276063919 CET | 49926 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:45.311460018 CET | 49931 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:45.431442976 CET | 80 | 49931 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:45.431642056 CET | 49931 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:45.431863070 CET | 49931 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:45.551961899 CET | 80 | 49931 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:46.783482075 CET | 80 | 49931 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:46.785463095 CET | 49935 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:46.785509109 CET | 443 | 49935 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:46.785594940 CET | 49935 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:46.785860062 CET | 49935 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:46.785872936 CET | 443 | 49935 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:46.829576969 CET | 49931 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:48.198936939 CET | 443 | 49935 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:48.201019049 CET | 49935 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:48.201067924 CET | 443 | 49935 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:48.201133966 CET | 49935 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:48.201145887 CET | 443 | 49935 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:48.795911074 CET | 443 | 49935 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:48.795999050 CET | 443 | 49935 | 149.154.167.220 | 192.168.2.7 |
| Dec 3, 2024 15:20:48.796046972 CET | 49935 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:51.526201010 CET | 49935 | 443 | 192.168.2.7 | 149.154.167.220 |
| Dec 3, 2024 15:20:51.529107094 CET | 49931 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:51.529587984 CET | 49946 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:51.649926901 CET | 80 | 49946 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:51.649996996 CET | 80 | 49931 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:51.650088072 CET | 49931 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:51.650093079 CET | 49946 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:51.650223970 CET | 49946 | 80 | 192.168.2.7 | 132.226.247.73 |
| Dec 3, 2024 15:20:51.770172119 CET | 80 | 49946 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:53.140886068 CET | 80 | 49946 | 132.226.247.73 | 192.168.2.7 |
| Dec 3, 2024 15:20:53.188946962 CET | 49946 | 80 | 192.168.2.7 | 132.226.247.73 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 3, 2024 15:20:08.306763887 CET | 61665 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 3, 2024 15:20:08.444418907 CET | 53 | 61665 | 1.1.1.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:11.204166889 CET | 52680 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 3, 2024 15:20:11.341629982 CET | 53 | 52680 | 1.1.1.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:16.794493914 CET | 50580 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 3, 2024 15:20:16.934154034 CET | 53 | 50580 | 1.1.1.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:26.867862940 CET | 58498 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 3, 2024 15:20:27.015923977 CET | 53 | 58498 | 1.1.1.1 | 192.168.2.7 |
| Dec 3, 2024 15:20:34.780443907 CET | 58811 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 3, 2024 15:20:34.917860031 CET | 53 | 58811 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 3, 2024 15:20:08.306763887 CET | 192.168.2.7 | 1.1.1.1 | 0x86ed | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 3, 2024 15:20:11.204166889 CET | 192.168.2.7 | 1.1.1.1 | 0x23dc | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 3, 2024 15:20:16.794493914 CET | 192.168.2.7 | 1.1.1.1 | 0xcca | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 3, 2024 15:20:26.867862940 CET | 192.168.2.7 | 1.1.1.1 | 0xc4f8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 3, 2024 15:20:34.780443907 CET | 192.168.2.7 | 1.1.1.1 | 0x5a21 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 3, 2024 15:20:08.444418907 CET | 1.1.1.1 | 192.168.2.7 | 0x86ed | No error (0) | 172.217.19.174 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:11.341629982 CET | 1.1.1.1 | 192.168.2.7 | 0x23dc | No error (0) | 142.250.181.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:16.934154034 CET | 1.1.1.1 | 192.168.2.7 | 0xcca | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:16.934154034 CET | 1.1.1.1 | 192.168.2.7 | 0xcca | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:16.934154034 CET | 1.1.1.1 | 192.168.2.7 | 0xcca | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:16.934154034 CET | 1.1.1.1 | 192.168.2.7 | 0xcca | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:16.934154034 CET | 1.1.1.1 | 192.168.2.7 | 0xcca | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:16.934154034 CET | 1.1.1.1 | 192.168.2.7 | 0xcca | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:27.015923977 CET | 1.1.1.1 | 192.168.2.7 | 0xc4f8 | No error (0) | 104.21.67.152 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:27.015923977 CET | 1.1.1.1 | 192.168.2.7 | 0xc4f8 | No error (0) | 172.67.177.134 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 15:20:34.917860031 CET | 1.1.1.1 | 192.168.2.7 | 0x5a21 | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49862 | 132.226.247.73 | 80 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 3, 2024 15:20:17.064028025 CET | 151 | OUT | |
| Dec 3, 2024 15:20:24.118107080 CET | 321 | IN | |
| Dec 3, 2024 15:20:24.122697115 CET | 127 | OUT | |
| Dec 3, 2024 15:20:26.556296110 CET | 321 | IN | |
| Dec 3, 2024 15:20:34.342398882 CET | 127 | OUT | |
| Dec 3, 2024 15:20:34.775563002 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49909 | 132.226.247.73 | 80 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 3, 2024 15:20:37.248975992 CET | 127 | OUT | |
| Dec 3, 2024 15:20:38.604399920 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49919 | 132.226.247.73 | 80 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 3, 2024 15:20:40.758305073 CET | 127 | OUT | |
| Dec 3, 2024 15:20:43.170118093 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49931 | 132.226.247.73 | 80 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 3, 2024 15:20:45.431863070 CET | 151 | OUT | |
| Dec 3, 2024 15:20:46.783482075 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 4 | 192.168.2.7 | 49946 | 132.226.247.73 | 80 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 3, 2024 15:20:51.650223970 CET | 151 | OUT | |
| Dec 3, 2024 15:20:53.140886068 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49841 | 172.217.19.174 | 443 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 14:20:10 UTC | 216 | OUT | |
| 2024-12-03 14:20:11 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49850 | 142.250.181.1 | 443 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 14:20:13 UTC | 258 | OUT | |
| 2024-12-03 14:20:15 UTC | 4914 | IN | |
| 2024-12-03 14:20:15 UTC | 4914 | IN | |
| 2024-12-03 14:20:15 UTC | 4872 | IN | |
| 2024-12-03 14:20:15 UTC | 1320 | IN | |
| 2024-12-03 14:20:15 UTC | 1390 | IN | |
| 2024-12-03 14:20:15 UTC | 1390 | IN | |
| 2024-12-03 14:20:15 UTC | 1390 | IN | |
| 2024-12-03 14:20:15 UTC | 1390 | IN | |
| 2024-12-03 14:20:15 UTC | 1390 | IN | |
| 2024-12-03 14:20:16 UTC | 1390 | IN | |
| 2024-12-03 14:20:16 UTC | 1390 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49886 | 104.21.67.152 | 443 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 14:20:28 UTC | 85 | OUT | |
| 2024-12-03 14:20:28 UTC | 878 | IN | |
| 2024-12-03 14:20:28 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49903 | 149.154.167.220 | 443 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 14:20:36 UTC | 299 | OUT | |
| 2024-12-03 14:20:36 UTC | 1090 | OUT | |
| 2024-12-03 14:20:36 UTC | 346 | IN | |
| 2024-12-03 14:20:36 UTC | 56 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 49913 | 149.154.167.220 | 443 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 14:20:40 UTC | 299 | OUT | |
| 2024-12-03 14:20:40 UTC | 1090 | OUT | |
| 2024-12-03 14:20:40 UTC | 346 | IN | |
| 2024-12-03 14:20:40 UTC | 56 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 49926 | 149.154.167.220 | 443 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 14:20:44 UTC | 275 | OUT | |
| 2024-12-03 14:20:44 UTC | 1090 | OUT | |
| 2024-12-03 14:20:45 UTC | 346 | IN | |
| 2024-12-03 14:20:45 UTC | 56 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 49935 | 149.154.167.220 | 443 | 3824 | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 14:20:48 UTC | 275 | OUT | |
| 2024-12-03 14:20:48 UTC | 1090 | OUT | |
| 2024-12-03 14:20:48 UTC | 346 | IN | |
| 2024-12-03 14:20:48 UTC | 56 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:18:42 |
| Start date: | 03/12/2024 |
| Path: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 715'594 bytes |
| MD5 hash: | B134B557B86A160168DE0C56BA982EA6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 10:41:54 |
| Start date: | 03/12/2024 |
| Path: | C:\Users\user\Desktop\IBAN payment confirmation.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 715'594 bytes |
| MD5 hash: | B134B557B86A160168DE0C56BA982EA6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 20.1% |
| Dynamic/Decrypted Code Coverage: | 15.2% |
| Signature Coverage: | 18.9% |
| Total number of Nodes: | 1510 |
| Total number of Limit Nodes: | 45 |
Graph
Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B10 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F0C Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405772 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040653F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038B4 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DBC Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040317D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402331 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405665 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406974 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406B75 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040688B Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406390 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004067DE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068FC Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406848 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401B22 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10002868 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B56 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004026F9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402253 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401718 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405BD9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000278D Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404164 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040330F Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052D3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045CA Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 269stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402770 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042CC Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C08 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100022EB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004024EE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404196 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A5E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000248D Relevance: 9.1, APIs: 6, Instructions: 108COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100018C1 Relevance: 7.7, APIs: 5, Instructions: 190COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001617 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405935 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405981 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405ABB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 12.3% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 3% |
| Total number of Nodes: | 232 |
| Total number of Limit Nodes: | 18 |
Graph
Function 3A20E710 Relevance: 3.3, Strings: 2, Instructions: 764COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C998D0 Relevance: 3.3, Strings: 2, Instructions: 758COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A20D558 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C96130 Relevance: .7, Instructions: 709COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983A928 Relevance: .3, Instructions: 296COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011E6A8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983C628 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011EC58 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C977F0 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C97E40 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C971A8 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C98490 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011EFAF Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C99568 Relevance: .2, Instructions: 199COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C96123 Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9848C Relevance: .2, Instructions: 157COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A20F25E Relevance: .2, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C977EC Relevance: .1, Instructions: 102COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C97E3B Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A2005F8 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A200608 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9B028 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FD8D Relevance: 1.6, APIs: 1, Instructions: 115COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FD98 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A2008E4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A200C50 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A200C58 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A201CA8 Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A20C490 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A20C53C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A20D338 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A201CB0 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A20E64A Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C99C55 Relevance: .3, Instructions: 322COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C99C53 Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9F4E9 Relevance: .2, Instructions: 249COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9E9B0 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C99FAF Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C95400 Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9A709 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9DB04 Relevance: .1, Instructions: 144COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9FDF0 Relevance: .1, Instructions: 137COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9945E Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9AE50 Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9E99F Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9AE40 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C953F0 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D3F0 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9EF71 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD030 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D3EB Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C994A8 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD02B Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9DEF7 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9DF90 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9DAE8 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9A930 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9A940 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9710C Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9712C Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9AFA8 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C99879 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9AF7D Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C970FC Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C99828 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C97024 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B10 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040335A Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 335stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C98AD8 Relevance: 23.0, Strings: 18, Instructions: 461COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405772 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C98AD5 Relevance: 12.9, Strings: 10, Instructions: 359COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040653F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9563C Relevance: .6, Instructions: 609COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983EFA0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 398397C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983C1D0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983F3F8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983D330 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983EB48 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39839370 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983BD78 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983CA80 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983A4D0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983CED8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983E6F0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39839C20 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983F850 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3983A078 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C939F0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C911A0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C93140 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C908F0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C92890 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C90040 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C94B50 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C92300 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C942A0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C91A50 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C915F8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C93598 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C90D48 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C92CE8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C90498 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C94FA8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C946F8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C91EA8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C93E48 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A20F520 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39C9A6C7 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052D3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038B4 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042CC Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C08 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045CA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 269stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DBC Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F0C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404196 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A5E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040317D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004024EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405665 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406974 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406B75 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040688B Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406390 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004067DE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068FC Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406848 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405ABB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|