Edit tour
Windows
Analysis Report
SWIFT09181-24_pdf.exe
Overview
General Information
| Sample name: | SWIFT09181-24_pdf.exe |
| Analysis ID: | 1575477 |
| MD5: | e47d302ad20a15e7c4816b5e7b236699 |
| SHA1: | 784795652df30bc7919b8fd74df3056df586c4e8 |
| SHA256: | 7683dbf87b229a5c18546c930ccf2625f3cf8443a8deddd5c18446fd953e3cd4 |
| Tags: | exeGuLoaderuser-threatcat_ch |
| Infos: |  |
 | |
Detection
GuLoader, MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Initial sample is a PE file and has a suspicious name
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
SWIFT09181-24_pdf.exe (PID: 3372 cmdline: "C:\Users\ user\Deskt op\SWIFT09 181-24_pdf .exe" MD5: E47D302AD20A15E7C4816B5E7B236699) - SWIFT09181-24_pdf.exe (PID: 6020 cmdline:
"C:\Users\ user\Deskt op\SWIFT09 181-24_pdf .exe" MD5: E47D302AD20A15E7C4816B5E7B236699)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}{"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| Click to see the 2 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-15T18:30:06.300477+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49885 | 149.154.167.220 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-15T18:29:53.504085+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49858 | 193.122.130.0 | 80 | TCP |
| 2024-12-15T18:30:01.941772+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49858 | 193.122.130.0 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-15T18:29:45.858880+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49837 | 216.58.208.238 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 5_2_3791D1EC | |
| Source: | Code function: | 5_2_3791D9D9 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00405846 | |
| Source: | Code function: | 0_2_004027FB | |
| Source: | Code function: | 0_2_00406398 | |
| Source: | Code function: | 5_2_00405846 | |
| Source: | Code function: | 5_2_004027FB | |
| Source: | Code function: | 5_2_00406398 | |
| Source: | Code function: | 5_2_3791C638 | |
| Source: | Code function: | 5_2_37910C28 | |
| Source: | Code function: | 5_2_379103AF | |
| Source: | Code function: | 5_2_3791E790 | |
| Source: | Code function: | 5_2_37910F6F | |
| Source: | Code function: | 5_2_3791DEE1 | |
| Source: | Code function: | 5_2_3791BD9C | |
| Source: | Code function: | 5_2_3791B4EC | |
| Source: | Code function: | 5_2_37910C1B | |
| Source: | Code function: | 5_2_3791EBF2 | |
| Source: | Code function: | 5_2_3791E340 | |
| Source: | Code function: | 5_2_3791DA89 | |
| Source: | Code function: | 5_2_3791C1F2 | |
| Source: | Code function: | 5_2_3791B944 | |
| Source: | Code function: | 5_2_3791F054 | |
| Source: | Code function: | 5_2_3791B07F | |
| Source: | Code function: | 5_2_3A658650 | |
| Source: | Code function: | 5_2_3A658650 | |
| Source: | Code function: | 5_2_3A65BDF0 | |
| Source: | Code function: | 5_2_3A6529B8 | |
| Source: | Code function: | 5_2_3A655660 | |
| Source: | Code function: | 5_2_3A653268 | |
| Source: | Code function: | 5_2_3A657070 | |
| Source: | Code function: | 5_2_3A651858 | |
| Source: | Code function: | 5_2_3A654820 | |
| Source: | Code function: | 5_2_3A651400 | |
| Source: | Code function: | 5_2_3A655208 | |
| Source: | Code function: | 5_2_3A652E10 | |
| Source: | Code function: | 5_2_3A656C18 | |
| Source: | Code function: | 5_2_3A6536C0 | |
| Source: | Code function: | 5_2_3A6574C8 | |
| Source: | Code function: | 5_2_3A651CB0 | |
| Source: | Code function: | 5_2_3A655AB8 | |
| Source: | Code function: | 5_2_3A652560 | |
| Source: | Code function: | 5_2_3A656368 | |
| Source: | Code function: | 5_2_3A653F70 | |
| Source: | Code function: | 5_2_3A657B4F | |
| Source: | Code function: | 5_2_3A652108 | |
| Source: | Code function: | 5_2_3A655F10 | |
| Source: | Code function: | 5_2_3A653B18 | |
| Source: | Code function: | 5_2_3A6567C0 | |
| Source: | Code function: | 5_2_3A6543C8 | |
| Source: | Code function: | 5_2_3A650FA8 | |
| Source: | Code function: | 5_2_3A654DB0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004052F3 | |
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004032A0 | |
| Source: | Code function: | 5_2_004032A0 | |
| Source: | Code function: | 0_2_00404B30 | |
| Source: | Code function: | 0_2_00407041 | |
| Source: | Code function: | 0_2_0040686A | |
| Source: | Code function: | 5_2_00407041 | |
| Source: | Code function: | 5_2_0040686A | |
| Source: | Code function: | 5_2_00404B30 | |
| Source: | Code function: | 5_2_00154328 | |
| Source: | Code function: | 5_2_00158DA0 | |
| Source: | Code function: | 5_2_00155968 | |
| Source: | Code function: | 5_2_00155F90 | |
| Source: | Code function: | 5_2_00152DD1 | |
| Source: | Code function: | 5_2_3791C638 | |
| Source: | Code function: | 5_2_3791CCA0 | |
| Source: | Code function: | 5_2_379103AF | |
| Source: | Code function: | 5_2_3791331A | |
| Source: | Code function: | 5_2_37915806 | |
| Source: | Code function: | 5_2_37917848 | |
| Source: | Code function: | 5_2_3791E790 | |
| Source: | Code function: | 5_2_37916E91 | |
| Source: | Code function: | 5_2_37916EA0 | |
| Source: | Code function: | 5_2_3791DEE1 | |
| Source: | Code function: | 5_2_3791BD9C | |
| Source: | Code function: | 5_2_3791CCA2 | |
| Source: | Code function: | 5_2_3791B4EC | |
| Source: | Code function: | 5_2_3791EBF2 | |
| Source: | Code function: | 5_2_3791E340 | |
| Source: | Code function: | 5_2_3791DA89 | |
| Source: | Code function: | 5_2_3791C1F2 | |
| Source: | Code function: | 5_2_3791B944 | |
| Source: | Code function: | 5_2_3791F054 | |
| Source: | Code function: | 5_2_3791B07F | |
| Source: | Code function: | 5_2_3A658650 | |
| Source: | Code function: | 5_2_3A6596C8 | |
| Source: | Code function: | 5_2_3A65BA97 | |
| Source: | Code function: | 5_2_3A65A360 | |
| Source: | Code function: | 5_2_3A659D10 | |
| Source: | Code function: | 5_2_3A65BDF0 | |
| Source: | Code function: | 5_2_3A65A9B0 | |
| Source: | Code function: | 5_2_3A6529B8 | |
| Source: | Code function: | 5_2_3A657061 | |
| Source: | Code function: | 5_2_3A655660 | |
| Source: | Code function: | 5_2_3A653268 | |
| Source: | Code function: | 5_2_3A657070 | |
| Source: | Code function: | 5_2_3A650040 | |
| Source: | Code function: | 5_2_3A658640 | |
| Source: | Code function: | 5_2_3A65184C | |
| Source: | Code function: | 5_2_3A655650 | |
| Source: | Code function: | 5_2_3A653258 | |
| Source: | Code function: | 5_2_3A651858 | |
| Source: | Code function: | 5_2_3A654820 | |
| Source: | Code function: | 5_2_3A652E00 | |
| Source: | Code function: | 5_2_3A651400 | |
| Source: | Code function: | 5_2_3A656C09 | |
| Source: | Code function: | 5_2_3A655208 | |
| Source: | Code function: | 5_2_3A652E10 | |
| Source: | Code function: | 5_2_3A654810 | |
| Source: | Code function: | 5_2_3A656C18 | |
| Source: | Code function: | 5_2_3A6520F8 | |
| Source: | Code function: | 5_2_3A6536C0 | |
| Source: | Code function: | 5_2_3A6536C2 | |
| Source: | Code function: | 5_2_3A6574C8 | |
| Source: | Code function: | 5_2_3A651CA0 | |
| Source: | Code function: | 5_2_3A655AA8 | |
| Source: | Code function: | 5_2_3A651CB0 | |
| Source: | Code function: | 5_2_3A650EB9 | |
| Source: | Code function: | 5_2_3A655AB8 | |
| Source: | Code function: | 5_2_3A6574B8 | |
| Source: | Code function: | 5_2_3A6596B8 | |
| Source: | Code function: | 5_2_3A652560 | |
| Source: | Code function: | 5_2_3A656368 | |
| Source: | Code function: | 5_2_3A653F70 | |
| Source: | Code function: | 5_2_3A653F72 | |
| Source: | Code function: | 5_2_3A657B4F | |
| Source: | Code function: | 5_2_3A65A352 | |
| Source: | Code function: | 5_2_3A65255C | |
| Source: | Code function: | 5_2_3A656358 | |
| Source: | Code function: | 5_2_3A655F01 | |
| Source: | Code function: | 5_2_3A659D00 | |
| Source: | Code function: | 5_2_3A652108 | |
| Source: | Code function: | 5_2_3A653B08 | |
| Source: | Code function: | 5_2_3A655F10 | |
| Source: | Code function: | 5_2_3A653B18 | |
| Source: | Code function: | 5_2_3A65AFF7 | |
| Source: | Code function: | 5_2_3A6551FF | |
| Source: | Code function: | 5_2_3A65AFF8 | |
| Source: | Code function: | 5_2_3A6567C0 | |
| Source: | Code function: | 5_2_3A6543C8 | |
| Source: | Code function: | 5_2_3A65A9A0 | |
| Source: | Code function: | 5_2_3A650FA8 | |
| Source: | Code function: | 5_2_3A654DB0 | |
| Source: | Code function: | 5_2_3A6567B0 | |
| Source: | Code function: | 5_2_3A654DB2 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004032A0 | |
| Source: | Code function: | 5_2_004032A0 | |
| Source: | Code function: | 0_2_004045B4 | |
| Source: | Code function: | 0_2_00402095 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Code function: | 0_2_10002E0E | |
| Source: | Code function: | 5_3_001949CD | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00405846 | |
| Source: | Code function: | 0_2_004027FB | |
| Source: | Code function: | 0_2_00406398 | |
| Source: | Code function: | 5_2_00405846 | |
| Source: | Code function: | 5_2_004027FB | |
| Source: | Code function: | 5_2_00406398 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-3943 | ||
| Source: | API call chain: | graph_0-3762 | ||
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406077 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 1 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Email Collection | 1 Web Service | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 31 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 1 Data from Local System | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | 1 Clipboard Data | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | 215 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 3 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 24% | ReversingLabs | Win32.Trojan.Garf |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 216.58.208.238 | true | false | high | |
| drive.usercontent.google.com | 172.217.17.65 | true | false | high | |
| reallyfreegeoip.org | 104.21.67.152 | true | false | high | |
| api.telegram.org | 149.154.167.220 | true | false | high | |
| checkip.dyndns.com | 193.122.130.0 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
| 104.21.67.152 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 193.122.130.0 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false | |
| 172.217.17.65 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 216.58.208.238 | drive.google.com | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1575477 |
| Start date and time: | 2024-12-15 18:27:05 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 23s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SWIFT09181-24_pdf.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/8@5/5 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: SWIFT09181-24_pdf.exe
| Time | Type | Description |
|---|---|---|
| 12:30:01 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 149.154.167.220 | Get hash | malicious | ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig | Browse | ||
| Get hash | malicious | 77Rootkit, XWorm | Browse | |||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Discord Token Stealer, Millenuim RAT | Browse | |||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | Luca Stealer | Browse | |||
| Get hash | malicious | Luca Stealer | Browse | |||
| 104.21.67.152 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | ||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| 193.122.130.0 | Get hash | malicious | Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc | Browse |
| |
| Get hash | malicious | AsyncRAT, HVNC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | AsyncRAT, HVNC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| reallyfreegeoip.org | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| api.telegram.org | Get hash | malicious | 77Rootkit, XWorm | Browse |
| |
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, Millenuim RAT | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Luca Stealer | Browse |
| ||
| Get hash | malicious | Luca Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig | Browse |
| |
| Get hash | malicious | ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig | Browse |
| ||
| Get hash | malicious | 77Rootkit, XWorm | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer, Stealc, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| ORACLE-BMC-31898US | Get hash | malicious | Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | AsyncRAT, HVNC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | SheetRat | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | DarkGate, MailPassView | Browse |
| ||
| Get hash | malicious | DarkGate, MailPassView | Browse |
| ||
| Get hash | malicious | 77Rootkit, XWorm | Browse |
| ||
| Get hash | malicious | WinSearchAbuse | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer, Stealc, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsw967F.tmp\System.dll | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader | Browse |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Psychrophyte.Boo
Download File
| Process: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 134264 |
| Entropy (8bit): | 4.605669963186572 |
| Encrypted: | false |
| SSDEEP: | 3072:xj4mzkFU365SZQUQ9jA+gJqtUqouOlaHaoYCD9gDrh:xj4skFWkeQ6+Laqiw6eDaDrh |
| MD5: | F166237825F14B277F465F26CABC12EF |
| SHA1: | 1DE8BA3AC6D167148A6965BC03B74E363A3E628E |
| SHA-256: | 981A5F9CB1CC649C30241B04A6D51EDC30CEBA85D1396C02F0D210E58D3B68F1 |
| SHA-512: | B8695964D1A245FF7C64E43EDCCA958D5B9391AEEFBF02F1C19050772252FE5E8A1BF70D6FFE71DA759155B90DB3128DE419B28A9F6F7308605B1A5245490700 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Riprap43.gaw
Download File
| Process: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56641 |
| Entropy (8bit): | 1.2318917163845036 |
| Encrypted: | false |
| SSDEEP: | 384:vrBeaW6xu5Pd9GW0Zq+/HXF1qcGNMUd8phxiFQHOV7hpvZlq:t9+Pdop/306xixrlq |
| MD5: | 39C9A5F767D8C170B5CE38EA8D5734D4 |
| SHA1: | 4B4CA81EB3D093645B504004F62A269D4EACDECC |
| SHA-256: | 87A7017021050071DBE5726BF9AC505763CD923E2BDE93336CA0905802CD8D49 |
| SHA-512: | AE2D66B801251046FA4D3093391B916955B43BE75A954DD398583B1B8881A9F109F51F81D6E4FE759F83AC7B921FA89B02185013AFDE16D3C8EAB422BE89B4FF |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Vebogen77.Uni
Download File
| Process: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 273959 |
| Entropy (8bit): | 7.775011891990138 |
| Encrypted: | false |
| SSDEEP: | 6144:F7bhGVhVT8F4bX35S7KMDGWqbfeaFuYjSd0q09YdGm+DLvpBCUe:F79GdbXFPWqrebJcKQBhe |
| MD5: | 93545E50541335CD9B1457812BE4637C |
| SHA1: | E7A88BEFAD0828C4E17E37756CEC3039D4B8515B |
| SHA-256: | 8C50FA361425AEB62B60DBB05718B144E9BF9CF95D5DBEE541BA39D4FE9068AA |
| SHA-512: | 330F84040AA98487DF2165879D819827490839937C91CF90EAB767B71C1A22D58F6513236AE156B18AB8AD39B413D1CF93F35521568D2A903F7D9A2A5435E95F |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\forskansningens.txt
Download File
| Process: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 345 |
| Entropy (8bit): | 4.241929841155785 |
| Encrypted: | false |
| SSDEEP: | 6:dvkdMOL4xnuXGNQWjMIDw1luhPB46xAJX7sBJOdkmLA8gMfArpIXbgOwQWiQJEEC:dufExIoDe1lYnGJLsBQdtL6rpIrWQkJA |
| MD5: | AE69FE0F4D1E1115BC470031E661785C |
| SHA1: | 8D3799826FE457C61C1E8EE5E3071683A8125BC5 |
| SHA-256: | 6B18768503395C809263568D3A8858810404C2B7D49DC7CB6CE5F717F5D6C7DE |
| SHA-512: | 969C0DB048EAC4A9B447A0C0C463A7983F1B4091B6206E274B9D249F8311439B6C33F5AA1EDF9CD1AA27502DA49378D3E1B45F16909C55DF830E51684E9648BE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\fyldebtten.soi
Download File
| Process: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 210366 |
| Entropy (8bit): | 1.240975322465592 |
| Encrypted: | false |
| SSDEEP: | 768:vBTwJOLxCIF0V6iLboHog6BQlsMqlN1R0pmGy30wbfq6+9GmlsNh34k0uJ/QohER:cJigyyDJnLH7zA |
| MD5: | AEF78D8D561E8802286A78AAC6C73ED6 |
| SHA1: | DDF5DA649482D0A553802827BB9F0EF64A7069E1 |
| SHA-256: | 45F24543C01C9A11CC2246A9B27569AF433EEF61C877A4E191B683315D3566BE |
| SHA-512: | 93D43C0CECADF8E1F507F8E58D2B4D92995D8F7ECF213A23559938B380033A6D0D80B0816A8D6603864F821F4FEDC988E0F79BE14C6892089178970E08DC4199 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\wildwestfilm.sto
Download File
| Process: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 363811 |
| Entropy (8bit): | 1.2512349423386382 |
| Encrypted: | false |
| SSDEEP: | 768:y2f405GRYtnSLOBbyCociR2TVuEpHsVURGxwGmXjyMB+CtKDOgt9rlHF1QOs+9m5:pIuagbnK7CwVwFpYogwhUsvCq |
| MD5: | BFEA15C03AB295424981A73637A19491 |
| SHA1: | A5ADABDDC373D6B3004F96946D84B651E42D9F5C |
| SHA-256: | 83E9CE74259889DCABD39D41131F286882B224698DCDEB8D0B4074069AAA687B |
| SHA-512: | CB5969BFFAED8AF1791938E924E0CC9F876E45165F4E7EA5E9249131FACA831C0600F14BD68EF041D18C81A3FBE087970043D1B3B8A6786C1E5E5049834D4D0D |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.655335921632966 |
| Encrypted: | false |
| SSDEEP: | 192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9 |
| MD5: | EE260C45E97B62A5E42F17460D406068 |
| SHA1: | DF35F6300A03C4D3D3BD69752574426296B78695 |
| SHA-256: | E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27 |
| SHA-512: | A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1156 |
| Entropy (8bit): | 3.250976511083343 |
| Encrypted: | false |
| SSDEEP: | 12:8wl0asXowAOcQ/tz0/CSL6/cBnwgXl341DEDeG41DED/RKQ1olfW+kjcmAahTCN7:8xLDWLrFPjPL9izZMspdqy |
| MD5: | DA3120C581FD7369156BF3B9B82815B5 |
| SHA1: | 12B60059AE6BCFFFADEB2D4BDD2B4000E5295362 |
| SHA-256: | 5EA5E2BC538A59AA6F16F46991007F577B6EA4B456D42CBBDCF25EAB84FFA971 |
| SHA-512: | B65020A6B78960BED204A4F4C39BEE4BD43E28349DB8D61C91788D6600E89204DFFB4D9087434D8A924994C04C8C36F2A3D69563FDA8AE1D34A333F017AC2FD6 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.964353590785383 |
| TrID: |
|
| File name: | SWIFT09181-24_pdf.exe |
| File size: | 484'309 bytes |
| MD5: | e47d302ad20a15e7c4816b5e7b236699 |
| SHA1: | 784795652df30bc7919b8fd74df3056df586c4e8 |
| SHA256: | 7683dbf87b229a5c18546c930ccf2625f3cf8443a8deddd5c18446fd953e3cd4 |
| SHA512: | dfccf948fc36fdb83adbe56cc8010c7aa17d2e56c5854003c395cb498469429fea4bf65a42505a013f9fc45fe33bc0754ab0e0f5f0801e912466a9217f7a0471 |
| SSDEEP: | 12288:I5AjfSA+NkoaVfXmCgWl7j+Hu7Jj1JK8s5FEeKM:ZOioa5XmCJdjIu7Jj1Jiceh |
| TLSH: | F3A4234142B8C947F972873C6E37BFBB7A7E231652605F06A3500E667C70A528CAF85D |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L......V.................d......... |
 | |
| Icon Hash: | 3d2e0f95332b3399 |
| Entrypoint: | 0x4032a0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x567F847F [Sun Dec 27 06:26:07 2015 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d4b94e8ee3f620a89d114b9da4b31873 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebp |
| push esi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+0Ch], ebp |
| push 00008001h |
| mov dword ptr [esp+0Ch], 0040A300h |
| mov dword ptr [esp+18h], ebp |
| call dword ptr [004080B0h] |
| call dword ptr [004080ACh] |
| cmp ax, 00000006h |
| je 00007FE094BCDCA3h |
| push ebp |
| call 00007FE094BD0DE6h |
| cmp eax, ebp |
| je 00007FE094BCDC99h |
| push 00000C00h |
| call eax |
| push ebx |
| push edi |
| push 0040A2F4h |
| call 00007FE094BD0D63h |
| push 0040A2ECh |
| call 00007FE094BD0D59h |
| push 0040A2E0h |
| call 00007FE094BD0D4Fh |
| push 00000009h |
| call 00007FE094BD0DB4h |
| push 00000007h |
| call 00007FE094BD0DADh |
| mov dword ptr [00434F04h], eax |
| call dword ptr [00408044h] |
| push ebp |
| call dword ptr [004082A8h] |
| mov dword ptr [00434FB8h], eax |
| push ebp |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebp |
| push 0042B228h |
| call dword ptr [0040818Ch] |
| push 0040A2C8h |
| push 00433F00h |
| call 00007FE094BD099Ah |
| call dword ptr [004080A8h] |
| mov ebx, 0043F000h |
| push eax |
| push ebx |
| call 00007FE094BD0988h |
| push ebp |
| call dword ptr [00408178h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x85c8 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5d000 | 0x11e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x637c | 0x6400 | 83ff228d6dae8dd738eb2f78afbc793f | False | 0.672421875 | data | 6.491609540807675 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x147c | 0x1600 | d9f9b0b330e238260616b62a7a3cac09 | False | 0.42933238636363635 | data | 4.973928345594701 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x2aff8 | 0x600 | 3f2b05c8fbb8b2e4c9c89e93d30e7252 | False | 0.53125 | data | 4.133631086111171 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x35000 | 0x28000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x5d000 | 0x11e0 | 0x1200 | 20639f4e7c421f5379e2fb9ea4a1530d | False | 0.3684895833333333 | data | 4.485045860065118 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x5d268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x5d5d0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.42473118279569894 |
| RT_DIALOG | 0x5d8b8 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0x5da00 | 0x13c | data | English | United States | 0.5506329113924051 |
| RT_DIALOG | 0x5db40 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x5dc40 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x5dd60 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x5de28 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x5de88 | 0x14 | data | English | United States | 1.2 |
| RT_MANIFEST | 0x5dea0 | 0x33f | XML 1.0 document, ASCII text, with very long lines (831), with no line terminators | English | United States | 0.5547533092659447 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
| ADVAPI32.dll | RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-15T18:29:45.858880+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.4 | 49837 | 216.58.208.238 | 443 | TCP |
| 2024-12-15T18:29:53.504085+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49858 | 193.122.130.0 | 80 | TCP |
| 2024-12-15T18:30:01.941772+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49858 | 193.122.130.0 | 80 | TCP |
| 2024-12-15T18:30:06.300477+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49885 | 149.154.167.220 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 15, 2024 18:29:43.246592999 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:43.246627092 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:43.246717930 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:43.258887053 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:43.258903027 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:44.956856966 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:44.957113981 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:44.957518101 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:44.957587957 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:45.010179996 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:45.010262012 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:45.010489941 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:45.010653973 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:45.015379906 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:45.059425116 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:45.858688116 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:45.858886957 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:45.859203100 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:45.859289885 CET | 443 | 49837 | 216.58.208.238 | 192.168.2.4 |
| Dec 15, 2024 18:29:45.859354019 CET | 49837 | 443 | 192.168.2.4 | 216.58.208.238 |
| Dec 15, 2024 18:29:46.017631054 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:46.017723083 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:46.018052101 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:46.018202066 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:46.018249035 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:47.738897085 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:47.739166021 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:47.744045973 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:47.744121075 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:47.744488001 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:47.744570017 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:47.745100975 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:47.787369013 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.677480936 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.677656889 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.693622112 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.693732977 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.803107023 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.803277016 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.807271004 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.807745934 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.807843924 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.808306932 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.870893955 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.871140957 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.872668982 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.872911930 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.880515099 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.880839109 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.880903006 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.881156921 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.888127089 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.888324976 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.890333891 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.890680075 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.895018101 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.895363092 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.899430037 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.899637938 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.906997919 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.907223940 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.913183928 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.913647890 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.916961908 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.917212963 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.928625107 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.929337978 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.931337118 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.931467056 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.941303968 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.941478968 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.943759918 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.943844080 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.956219912 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.956696987 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.958699942 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.959064007 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.970688105 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.970890045 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.973357916 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.973424911 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.983442068 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.983525038 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.986363888 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.986557961 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.995263100 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.995414019 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:50.995476007 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:50.995556116 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.009665012 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.009727001 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.039673090 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.039752960 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.039787054 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.039861917 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.062442064 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.062542915 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.062558889 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.062621117 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.065052032 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.065262079 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.065275908 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.065335989 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.069097996 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.069169044 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.071804047 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.071885109 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.071897984 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.071959019 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.083683014 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.083753109 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.083801985 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.083861113 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.083874941 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.083937883 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.095047951 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.095160961 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.095175028 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.095231056 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.105298042 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.105372906 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.105525017 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.105581999 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.116703987 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.116765022 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.116779089 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.116931915 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.126113892 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.126333952 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.126348972 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.126427889 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.136126995 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.136471033 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.136534929 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.136868000 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.146986008 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.147305012 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.147403002 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.147603035 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.156241894 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.156511068 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.156645060 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.156877995 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.166491985 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.166598082 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.166676998 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.167155027 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.175906897 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.176068068 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.176084042 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.176147938 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.185483932 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.185581923 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.185647964 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.185754061 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.199872017 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.199985027 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.200016975 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.200073004 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.202759981 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.202846050 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.202886105 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.202965021 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.202977896 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.203059912 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.204051018 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.204143047 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.204268932 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.204308033 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.204333067 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.204350948 CET | 443 | 49846 | 172.217.17.65 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.204380035 CET | 49846 | 443 | 192.168.2.4 | 172.217.17.65 |
| Dec 15, 2024 18:29:51.760657072 CET | 49858 | 80 | 192.168.2.4 | 193.122.130.0 |
| Dec 15, 2024 18:29:51.882474899 CET | 80 | 49858 | 193.122.130.0 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.882699966 CET | 49858 | 80 | 192.168.2.4 | 193.122.130.0 |
| Dec 15, 2024 18:29:51.882936001 CET | 49858 | 80 | 192.168.2.4 | 193.122.130.0 |
| Dec 15, 2024 18:29:52.002624989 CET | 80 | 49858 | 193.122.130.0 | 192.168.2.4 |
| Dec 15, 2024 18:29:53.020834923 CET | 80 | 49858 | 193.122.130.0 | 192.168.2.4 |
| Dec 15, 2024 18:29:53.068552017 CET | 49858 | 80 | 192.168.2.4 | 193.122.130.0 |
| Dec 15, 2024 18:29:53.080347061 CET | 49858 | 80 | 192.168.2.4 | 193.122.130.0 |
| Dec 15, 2024 18:29:53.200185061 CET | 80 | 49858 | 193.122.130.0 | 192.168.2.4 |
| Dec 15, 2024 18:29:53.458142996 CET | 80 | 49858 | 193.122.130.0 | 192.168.2.4 |
| Dec 15, 2024 18:29:53.504085064 CET | 49858 | 80 | 192.168.2.4 | 193.122.130.0 |
| Dec 15, 2024 18:29:54.192825079 CET | 49865 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 15, 2024 18:29:54.192908049 CET | 443 | 49865 | 104.21.67.152 | 192.168.2.4 |
| Dec 15, 2024 18:29:54.192981958 CET | 49865 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 15, 2024 18:29:54.196424007 CET | 49865 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 15, 2024 18:29:54.196465015 CET | 443 | 49865 | 104.21.67.152 | 192.168.2.4 |
| Dec 15, 2024 18:29:55.439449072 CET | 443 | 49865 | 104.21.67.152 | 192.168.2.4 |
| Dec 15, 2024 18:29:55.439595938 CET | 49865 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 15, 2024 18:29:55.443269014 CET | 49865 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 15, 2024 18:29:55.443300009 CET | 443 | 49865 | 104.21.67.152 | 192.168.2.4 |
| Dec 15, 2024 18:29:55.443701982 CET | 443 | 49865 | 104.21.67.152 | 192.168.2.4 |
| Dec 15, 2024 18:29:55.448642969 CET | 49865 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 15, 2024 18:29:55.491453886 CET | 443 | 49865 | 104.21.67.152 | 192.168.2.4 |
| Dec 15, 2024 18:29:55.889712095 CET | 443 | 49865 | 104.21.67.152 | 192.168.2.4 |
| Dec 15, 2024 18:29:55.889796019 CET | 443 | 49865 | 104.21.67.152 | 192.168.2.4 |
| Dec 15, 2024 18:29:55.889882088 CET | 49865 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 15, 2024 18:29:55.932670116 CET | 49865 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 15, 2024 18:30:01.425071001 CET | 49858 | 80 | 192.168.2.4 | 193.122.130.0 |
| Dec 15, 2024 18:30:01.547382116 CET | 80 | 49858 | 193.122.130.0 | 192.168.2.4 |
| Dec 15, 2024 18:30:01.893702030 CET | 80 | 49858 | 193.122.130.0 | 192.168.2.4 |
| Dec 15, 2024 18:30:01.941771984 CET | 49858 | 80 | 192.168.2.4 | 193.122.130.0 |
| Dec 15, 2024 18:30:02.043170929 CET | 49885 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 15, 2024 18:30:02.043226004 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:02.043304920 CET | 49885 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 15, 2024 18:30:02.043874025 CET | 49885 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 15, 2024 18:30:02.043903112 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:03.429035902 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:03.429136992 CET | 49885 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 15, 2024 18:30:05.474471092 CET | 49885 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 15, 2024 18:30:05.474545956 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:05.474931955 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:05.476660967 CET | 49885 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 15, 2024 18:30:05.519345045 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:05.519459009 CET | 49885 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 15, 2024 18:30:05.519470930 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:06.300527096 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:06.300618887 CET | 443 | 49885 | 149.154.167.220 | 192.168.2.4 |
| Dec 15, 2024 18:30:06.300685883 CET | 49885 | 443 | 192.168.2.4 | 149.154.167.220 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 15, 2024 18:29:43.099060059 CET | 51029 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 15, 2024 18:29:43.236304045 CET | 53 | 51029 | 1.1.1.1 | 192.168.2.4 |
| Dec 15, 2024 18:29:45.878531933 CET | 56682 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 15, 2024 18:29:46.016710043 CET | 53 | 56682 | 1.1.1.1 | 192.168.2.4 |
| Dec 15, 2024 18:29:51.611061096 CET | 65014 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 15, 2024 18:29:51.755301952 CET | 53 | 65014 | 1.1.1.1 | 192.168.2.4 |
| Dec 15, 2024 18:29:53.740725994 CET | 62889 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 15, 2024 18:29:54.191927910 CET | 53 | 62889 | 1.1.1.1 | 192.168.2.4 |
| Dec 15, 2024 18:30:01.900265932 CET | 52121 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 15, 2024 18:30:02.042350054 CET | 53 | 52121 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 15, 2024 18:29:43.099060059 CET | 192.168.2.4 | 1.1.1.1 | 0x2e44 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 15, 2024 18:29:45.878531933 CET | 192.168.2.4 | 1.1.1.1 | 0x5fc5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 15, 2024 18:29:51.611061096 CET | 192.168.2.4 | 1.1.1.1 | 0xbd8d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 15, 2024 18:29:53.740725994 CET | 192.168.2.4 | 1.1.1.1 | 0x3259 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 15, 2024 18:30:01.900265932 CET | 192.168.2.4 | 1.1.1.1 | 0xca3c | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 15, 2024 18:29:43.236304045 CET | 1.1.1.1 | 192.168.2.4 | 0x2e44 | No error (0) | 216.58.208.238 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:46.016710043 CET | 1.1.1.1 | 192.168.2.4 | 0x5fc5 | No error (0) | 172.217.17.65 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:51.755301952 CET | 1.1.1.1 | 192.168.2.4 | 0xbd8d | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:51.755301952 CET | 1.1.1.1 | 192.168.2.4 | 0xbd8d | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:51.755301952 CET | 1.1.1.1 | 192.168.2.4 | 0xbd8d | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:51.755301952 CET | 1.1.1.1 | 192.168.2.4 | 0xbd8d | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:51.755301952 CET | 1.1.1.1 | 192.168.2.4 | 0xbd8d | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:51.755301952 CET | 1.1.1.1 | 192.168.2.4 | 0xbd8d | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:54.191927910 CET | 1.1.1.1 | 192.168.2.4 | 0x3259 | No error (0) | 104.21.67.152 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:29:54.191927910 CET | 1.1.1.1 | 192.168.2.4 | 0x3259 | No error (0) | 172.67.177.134 | A (IP address) | IN (0x0001) | false | ||
| Dec 15, 2024 18:30:02.042350054 CET | 1.1.1.1 | 192.168.2.4 | 0xca3c | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49858 | 193.122.130.0 | 80 | 6020 | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 15, 2024 18:29:51.882936001 CET | 151 | OUT | |
| Dec 15, 2024 18:29:53.020834923 CET | 321 | IN | |
| Dec 15, 2024 18:29:53.080347061 CET | 127 | OUT | |
| Dec 15, 2024 18:29:53.458142996 CET | 321 | IN | |
| Dec 15, 2024 18:30:01.425071001 CET | 127 | OUT | |
| Dec 15, 2024 18:30:01.893702030 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49837 | 216.58.208.238 | 443 | 6020 | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-15 17:29:45 UTC | 216 | OUT | |
| 2024-12-15 17:29:45 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49846 | 172.217.17.65 | 443 | 6020 | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-15 17:29:47 UTC | 258 | OUT | |
| 2024-12-15 17:29:50 UTC | 4932 | IN | |
| 2024-12-15 17:29:50 UTC | 4932 | IN | |
| 2024-12-15 17:29:50 UTC | 4835 | IN | |
| 2024-12-15 17:29:50 UTC | 1321 | IN | |
| 2024-12-15 17:29:50 UTC | 1390 | IN | |
| 2024-12-15 17:29:50 UTC | 1390 | IN | |
| 2024-12-15 17:29:50 UTC | 1390 | IN | |
| 2024-12-15 17:29:50 UTC | 1390 | IN | |
| 2024-12-15 17:29:50 UTC | 1390 | IN | |
| 2024-12-15 17:29:50 UTC | 1390 | IN | |
| 2024-12-15 17:29:50 UTC | 1390 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49865 | 104.21.67.152 | 443 | 6020 | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-15 17:29:55 UTC | 85 | OUT | |
| 2024-12-15 17:29:55 UTC | 882 | IN | |
| 2024-12-15 17:29:55 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49885 | 149.154.167.220 | 443 | 6020 | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-15 17:30:05 UTC | 295 | OUT | |
| 2024-12-15 17:30:05 UTC | 1090 | OUT | |
| 2024-12-15 17:30:06 UTC | 388 | IN | |
| 2024-12-15 17:30:06 UTC | 542 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:27:56 |
| Start date: | 15/12/2024 |
| Path: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 484'309 bytes |
| MD5 hash: | E47D302AD20A15E7C4816B5E7B236699 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 12:29:31 |
| Start date: | 15/12/2024 |
| Path: | C:\Users\user\Desktop\SWIFT09181-24_pdf.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 484'309 bytes |
| MD5 hash: | E47D302AD20A15E7C4816B5E7B236699 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 21.4% |
| Dynamic/Decrypted Code Coverage: | 13.9% |
| Signature Coverage: | 20.8% |
| Total number of Nodes: | 1517 |
| Total number of Limit Nodes: | 47 |
Graph
Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406398 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100028A4 Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040686A Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407041 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 12% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 16.7% |
| Total number of Nodes: | 36 |
| Total number of Limit Nodes: | 0 |
Graph
Function 00155F90 Relevance: 6.7, Strings: 5, Instructions: 467COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154328 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158DA0 Relevance: 6.1, Strings: 4, Instructions: 1138COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155968 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65BDF0 Relevance: 2.0, Strings: 1, Instructions: 758COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A658650 Relevance: .7, Instructions: 709COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791C638 Relevance: .3, Instructions: 302COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 379103AF Relevance: .3, Instructions: 285COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A6529B8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37910C1B Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37910C28 Relevance: .2, Instructions: 220COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65A360 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A659D10 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A6596C8 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65A9B0 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37910F6F Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65BA97 Relevance: .2, Instructions: 192COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A658640 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65A9A0 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A6596B8 Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A659D00 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65A352 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001566B8 Relevance: 10.5, Strings: 8, Instructions: 456COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001519B8 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157458 Relevance: 3.2, Strings: 2, Instructions: 704COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154F00 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155460 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158D90 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158D19 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150B29 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159EB0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65C175 Relevance: .3, Instructions: 322COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65C173 Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156C98 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015AF90 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158A4B Relevance: .2, Instructions: 196COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A657920 Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65CC28 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00153168 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001592C3 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158BF0 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154620 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156F30 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156F40 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001518C8 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D4DC Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001552C8 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A657922 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150EC8 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015324D Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001517B8 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015461D Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158729 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FE60 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001552C0 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2C8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65B9C7 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2E0 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D4D7 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65B9C8 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154E5F Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2F0 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FC3F Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B158 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FE13 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151877 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FE20 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FFB0 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151888 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001556FF Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157EC0 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FF23 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159F6D Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FF30 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65BD48 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155710 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032A0 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 401stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65AFF8 Relevance: 23.0, Strings: 18, Instructions: 461COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A65AFF7 Relevance: 12.9, Strings: 10, Instructions: 362COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A657B4F Relevance: 1.9, Strings: 1, Instructions: 610COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791B07F Relevance: .3, Instructions: 273COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791E790 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791DEE1 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791DA89 Relevance: .3, Instructions: 271COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791EBF2 Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791E340 Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A655660 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A652560 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A653268 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A656368 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A657070 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A653F70 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A651858 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A654820 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A651400 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A655208 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A652108 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A652E10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A655F10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A656C18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A653B18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A6536C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A6567C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A6574C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A6543C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A650FA8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A651CB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A654DB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3A655AB8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791C1F2 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791BD9C Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791B4EC Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791B944 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3791F054 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B6 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040389E Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045B4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406077 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405683 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001558E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|