Edit tour
Windows
Analysis Report
SWIFT091816-24_pdf.exe
Overview
General Information
| Sample name: | SWIFT091816-24_pdf.exe |
| Analysis ID: | 1575732 |
| MD5: | 397346c3391583257950cfe556f0a5e6 |
| SHA1: | 10db5f36ad73ec9757cc05e04aef346a5e486fd5 |
| SHA256: | 342df796e039d1c4b24525eabc4a9e98ce5ff399a4d9ca92dc10b2b87a84c120 |
| Tags: | exeGuLoaderuser-julianmckein |
| Infos: |  |
 | |
Detection
GuLoader, MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Initial sample is a PE file and has a suspicious name
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
SWIFT091816-24_pdf.exe (PID: 7284 cmdline: "C:\Users\ user\Deskt op\SWIFT09 1816-24_pd f.exe" MD5: 397346C3391583257950CFE556F0A5E6) - SWIFT091816-24_pdf.exe (PID: 7844 cmdline:
"C:\Users\ user\Deskt op\SWIFT09 1816-24_pd f.exe" MD5: 397346C3391583257950CFE556F0A5E6)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}{"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-16T09:05:51.900356+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49852 | 149.154.167.220 | 443 | TCP |
| 2024-12-16T09:05:55.509609+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49861 | 149.154.167.220 | 443 | TCP |
| 2024-12-16T09:05:59.009494+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49872 | 149.154.167.220 | 443 | TCP |
| 2024-12-16T09:06:02.572563+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49883 | 149.154.167.220 | 443 | TCP |
| 2024-12-16T09:06:06.332693+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49891 | 149.154.167.220 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-16T09:05:41.724171+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49826 | 193.122.6.168 | 80 | TCP |
| 2024-12-16T09:05:49.708588+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49826 | 193.122.6.168 | 80 | TCP |
| 2024-12-16T09:05:53.508834+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49858 | 193.122.6.168 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-16T09:05:33.778781+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49804 | 172.217.19.174 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 4_2_3841D1EC | |
| Source: | Code function: | 4_2_3841D9D9 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00405846 | |
| Source: | Code function: | 0_2_004027FB | |
| Source: | Code function: | 0_2_00406398 | |
| Source: | Code function: | 4_2_00405846 | |
| Source: | Code function: | 4_2_004027FB | |
| Source: | Code function: | 4_2_00406398 | |
| Source: | Code function: | 4_2_384103AF | |
| Source: | Code function: | 4_2_38410C28 | |
| Source: | Code function: | 4_2_3841C638 | |
| Source: | Code function: | 4_2_3841F05A | |
| Source: | Code function: | 4_2_3841B07F | |
| Source: | Code function: | 4_2_3841B930 | |
| Source: | Code function: | 4_2_3841C1F2 | |
| Source: | Code function: | 4_2_3841DA89 | |
| Source: | Code function: | 4_2_3841E339 | |
| Source: | Code function: | 4_2_3841EBF2 | |
| Source: | Code function: | 4_2_38410C1A | |
| Source: | Code function: | 4_2_3841B4D8 | |
| Source: | Code function: | 4_2_3841BDA2 | |
| Source: | Code function: | 4_2_3841DEE1 | |
| Source: | Code function: | 4_2_38410F6F | |
| Source: | Code function: | 4_2_3841E790 | |
| Source: | Code function: | 4_2_38FB29B8 | |
| Source: | Code function: | 4_2_38FBBDF0 | |
| Source: | Code function: | 4_2_38FB8650 | |
| Source: | Code function: | 4_2_38FB8650 | |
| Source: | Code function: | 4_2_38FB7070 | |
| Source: | Code function: | 4_2_38FB1858 | |
| Source: | Code function: | 4_2_38FB4820 | |
| Source: | Code function: | 4_2_38FB8193 | |
| Source: | Code function: | 4_2_38FBC92F | |
| Source: | Code function: | 4_2_38FB2108 | |
| Source: | Code function: | 4_2_38FB5AB8 | |
| Source: | Code function: | 4_2_38FB3268 | |
| Source: | Code function: | 4_2_38FB5208 | |
| Source: | Code function: | 4_2_38FBCBE7 | |
| Source: | Code function: | 4_2_38FB43C8 | |
| Source: | Code function: | 4_2_38FB8373 | |
| Source: | Code function: | 4_2_38FB6368 | |
| Source: | Code function: | 4_2_38FB7B4F | |
| Source: | Code function: | 4_2_38FB3B18 | |
| Source: | Code function: | 4_2_38FB74C8 | |
| Source: | Code function: | 4_2_38FB1CB0 | |
| Source: | Code function: | 4_2_38FB6C18 | |
| Source: | Code function: | 4_2_38FB1400 | |
| Source: | Code function: | 4_2_38FB4DB0 | |
| Source: | Code function: | 4_2_38FB2560 | |
| Source: | Code function: | 4_2_38FB36C0 | |
| Source: | Code function: | 4_2_38FB5660 | |
| Source: | Code function: | 4_2_38FB2E10 | |
| Source: | Code function: | 4_2_38FB67C0 | |
| Source: | Code function: | 4_2_38FB0FA8 | |
| Source: | Code function: | 4_2_38FB3F70 | |
| Source: | Code function: | 4_2_38FB5F10 | |
| Source: | Code function: | 4_2_394EE7C8 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004052F3 | |
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004032A0 | |
| Source: | Code function: | 4_2_004032A0 | |
| Source: | Code function: | 0_2_00404B30 | |
| Source: | Code function: | 0_2_00407041 | |
| Source: | Code function: | 0_2_0040686A | |
| Source: | Code function: | 4_2_00407041 | |
| Source: | Code function: | 4_2_0040686A | |
| Source: | Code function: | 4_2_00404B30 | |
| Source: | Code function: | 4_2_3600311B | |
| Source: | Code function: | 4_2_360027B9 | |
| Source: | Code function: | 4_2_36004328 | |
| Source: | Code function: | 4_2_36008E0C | |
| Source: | Code function: | 4_2_38413318 | |
| Source: | Code function: | 4_2_384103AF | |
| Source: | Code function: | 4_2_3841CCA0 | |
| Source: | Code function: | 4_2_3841C638 | |
| Source: | Code function: | 4_2_38417848 | |
| Source: | Code function: | 4_2_3841F05A | |
| Source: | Code function: | 4_2_3841B07F | |
| Source: | Code function: | 4_2_3841B930 | |
| Source: | Code function: | 4_2_3841C1F2 | |
| Source: | Code function: | 4_2_3841DA89 | |
| Source: | Code function: | 4_2_3841E347 | |
| Source: | Code function: | 4_2_3841EBF2 | |
| Source: | Code function: | 4_2_3841B4D8 | |
| Source: | Code function: | 4_2_3841CCA2 | |
| Source: | Code function: | 4_2_3841BDA2 | |
| Source: | Code function: | 4_2_38417628 | |
| Source: | Code function: | 4_2_3841DEE1 | |
| Source: | Code function: | 4_2_3841E79F | |
| Source: | Code function: | 4_2_38FB29B8 | |
| Source: | Code function: | 4_2_38FBA9B0 | |
| Source: | Code function: | 4_2_38FBA360 | |
| Source: | Code function: | 4_2_38FBBDF0 | |
| Source: | Code function: | 4_2_38FB9D10 | |
| Source: | Code function: | 4_2_38FB96C8 | |
| Source: | Code function: | 4_2_38FB8650 | |
| Source: | Code function: | 4_2_38FB20F8 | |
| Source: | Code function: | 4_2_38FB7070 | |
| Source: | Code function: | 4_2_38FB7061 | |
| Source: | Code function: | 4_2_38FB1858 | |
| Source: | Code function: | 4_2_38FB184C | |
| Source: | Code function: | 4_2_38FB0040 | |
| Source: | Code function: | 4_2_38FB4820 | |
| Source: | Code function: | 4_2_38FB51F8 | |
| Source: | Code function: | 4_2_38FBA9A0 | |
| Source: | Code function: | 4_2_38FBF136 | |
| Source: | Code function: | 4_2_38FB2108 | |
| Source: | Code function: | 4_2_38FB5AB8 | |
| Source: | Code function: | 4_2_38FB5AA8 | |
| Source: | Code function: | 4_2_38FBBA97 | |
| Source: | Code function: | 4_2_38FB3268 | |
| Source: | Code function: | 4_2_38FB3258 | |
| Source: | Code function: | 4_2_38FB5208 | |
| Source: | Code function: | 4_2_38FB13F0 | |
| Source: | Code function: | 4_2_38FB43C8 | |
| Source: | Code function: | 4_2_38FB6368 | |
| Source: | Code function: | 4_2_38FB6358 | |
| Source: | Code function: | 4_2_38FBA352 | |
| Source: | Code function: | 4_2_38FB7B4F | |
| Source: | Code function: | 4_2_38FB3B18 | |
| Source: | Code function: | 4_2_38FB3B08 | |
| Source: | Code function: | 4_2_38FB74C8 | |
| Source: | Code function: | 4_2_38FB74B8 | |
| Source: | Code function: | 4_2_38FB1CB0 | |
| Source: | Code function: | 4_2_38FB1CA0 | |
| Source: | Code function: | 4_2_38FB6C18 | |
| Source: | Code function: | 4_2_38FB6C09 | |
| Source: | Code function: | 4_2_38FB1400 | |
| Source: | Code function: | 4_2_38FBBDBC | |
| Source: | Code function: | 4_2_38FB4DB2 | |
| Source: | Code function: | 4_2_38FB4DB0 | |
| Source: | Code function: | 4_2_38FB2560 | |
| Source: | Code function: | 4_2_38FB255F | |
| Source: | Code function: | 4_2_38FB9D00 | |
| Source: | Code function: | 4_2_38FB36C2 | |
| Source: | Code function: | 4_2_38FB36C0 | |
| Source: | Code function: | 4_2_38FB96B8 | |
| Source: | Code function: | 4_2_38FB5660 | |
| Source: | Code function: | 4_2_38FB565F | |
| Source: | Code function: | 4_2_38FB5650 | |
| Source: | Code function: | 4_2_38FB8640 | |
| Source: | Code function: | 4_2_38FB2E10 | |
| Source: | Code function: | 4_2_38FB2E00 | |
| Source: | Code function: | 4_2_38FBAFF8 | |
| Source: | Code function: | 4_2_38FBAFF6 | |
| Source: | Code function: | 4_2_38FB67C0 | |
| Source: | Code function: | 4_2_38FB67B0 | |
| Source: | Code function: | 4_2_38FB0FA8 | |
| Source: | Code function: | 4_2_38FB0F98 | |
| Source: | Code function: | 4_2_38FB3F72 | |
| Source: | Code function: | 4_2_38FB3F70 | |
| Source: | Code function: | 4_2_38FB5F10 | |
| Source: | Code function: | 4_2_394EE7C8 | |
| Source: | Code function: | 4_2_394ED6C1 | |
| Source: | Code function: | 4_2_394E6FA0 | |
| Source: | Code function: | 4_2_394E8328 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004032A0 | |
| Source: | Code function: | 4_2_004032A0 | |
| Source: | Code function: | 0_2_004045B4 | |
| Source: | Code function: | 0_2_00402095 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Code function: | 0_2_10002E0E | |
| Source: | Code function: | 4_2_3600A492 | |
| Source: | Code function: | 4_2_3600A4FD | |
| Source: | Code function: | 4_2_384177EB | |
| Source: | Code function: | 4_2_394EC898 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405846 | |
| Source: | Code function: | 0_2_004027FB | |
| Source: | Code function: | 0_2_00406398 | |
| Source: | Code function: | 4_2_00405846 | |
| Source: | Code function: | 4_2_004027FB | |
| Source: | Code function: | 4_2_00406398 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-3753 | ||
| Source: | API call chain: | graph_0-3933 | ||
| Source: | Code function: | 0_2_00403C41 | |
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406077 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 1 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Email Collection | 1 Web Service | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 31 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 1 Data from Local System | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | 1 Clipboard Data | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | 215 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 3 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 26% | ReversingLabs | Win32.Trojan.Garf |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 172.217.19.174 | true | false | high | |
| drive.usercontent.google.com | 142.250.181.1 | true | false | high | |
| reallyfreegeoip.org | 104.21.67.152 | true | false | high | |
| api.telegram.org | 149.154.167.220 | true | false | high | |
| checkip.dyndns.com | 193.122.6.168 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
| 142.250.181.1 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 104.21.67.152 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 193.122.6.168 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false | |
| 172.217.19.174 | drive.google.com | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1575732 |
| Start date and time: | 2024-12-16 09:03:08 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 9s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SWIFT091816-24_pdf.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/8@5/5 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: SWIFT091816-24_pdf.exe
| Time | Type | Description |
|---|---|---|
| 03:05:49 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 149.154.167.220 | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig | Browse | |||
| Get hash | malicious | 77Rootkit, XWorm | Browse | |||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Discord Token Stealer, Millenuim RAT | Browse | |||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| 104.21.67.152 | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| 193.122.6.168 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | AsyncRAT, HVNC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| reallyfreegeoip.org | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| api.telegram.org | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | 77Rootkit, XWorm | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, Millenuim RAT | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, DotStealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Luca Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ORACLE-BMC-31898US | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | AsyncRAT, HVNC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| TELEGRAMRU | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | LummaC, Amadey, Cryptbot, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, Vidar | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer, Vidar, Xmrig | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | LummaC, Amadey, Cryptbot, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc | Browse |
| ||
| Get hash | malicious | PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, Vidar | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsq69D9.tmp\System.dll | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Recaulescence.Tid
Download File
| Process: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56144 |
| Entropy (8bit): | 4.602729797668527 |
| Encrypted: | false |
| SSDEEP: | 768:uWHutI/Kh5+BOfOywpKhYE4kirhMZs7fRVPYQagCy8s8ks7b:uhMKh5+BPTMaE4kidMVgTZ8R7b |
| MD5: | 5E9B639D1BD991718F5616DC844CC948 |
| SHA1: | 10C13FACE71A7D77EBB4F8570AD9AB849C0DE6F4 |
| SHA-256: | 384967853FBF407613B54DD1D10577619EAE2B0905251C0A3445B5CE4E144ED1 |
| SHA-512: | F3D887ED54F197158478E024CF1180164BB6849481E8EFD7901564308CEDE83B4A6480EA1DBEC71457ABDBF4BB6660A0D892EDA7E2A2E5B61BB560E713739807 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Riprap43.gaw
Download File
| Process: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56641 |
| Entropy (8bit): | 1.2318917163845036 |
| Encrypted: | false |
| SSDEEP: | 384:vrBeaW6xu5Pd9GW0Zq+/HXF1qcGNMUd8phxiFQHOV7hpvZlq:t9+Pdop/306xixrlq |
| MD5: | 39C9A5F767D8C170B5CE38EA8D5734D4 |
| SHA1: | 4B4CA81EB3D093645B504004F62A269D4EACDECC |
| SHA-256: | 87A7017021050071DBE5726BF9AC505763CD923E2BDE93336CA0905802CD8D49 |
| SHA-512: | AE2D66B801251046FA4D3093391B916955B43BE75A954DD398583B1B8881A9F109F51F81D6E4FE759F83AC7B921FA89B02185013AFDE16D3C8EAB422BE89B4FF |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Sgetilladelse.sti
Download File
| Process: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 265012 |
| Entropy (8bit): | 7.779151164586136 |
| Encrypted: | false |
| SSDEEP: | 6144:80CRHkWxHRRqVMr6UYR5gkpO+a5FzNJpYPjx++nZx:3nARqVMr7YR5k+aSPk+v |
| MD5: | 9CE89B37C74BF9D6F5C859F5328E28E0 |
| SHA1: | 730DF2B270BA090A91BFCA3D44481F9D265BA8D8 |
| SHA-256: | 023EBB51F309BC108E0683918273BA04AD7BC912E28621785AA9A67BA4A73861 |
| SHA-512: | AA3BBD32F8157E0A576FC106A2E5E5A36B871FDDBB0B25C2C2021DA7CD87ED9956DA10797F972F76F56C36EA5D22E281975DBBB3B3568AE93CF3F7A17E5032B7 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\forskansningens.txt
Download File
| Process: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 345 |
| Entropy (8bit): | 4.241929841155785 |
| Encrypted: | false |
| SSDEEP: | 6:dvkdMOL4xnuXGNQWjMIDw1luhPB46xAJX7sBJOdkmLA8gMfArpIXbgOwQWiQJEEC:dufExIoDe1lYnGJLsBQdtL6rpIrWQkJA |
| MD5: | AE69FE0F4D1E1115BC470031E661785C |
| SHA1: | 8D3799826FE457C61C1E8EE5E3071683A8125BC5 |
| SHA-256: | 6B18768503395C809263568D3A8858810404C2B7D49DC7CB6CE5F717F5D6C7DE |
| SHA-512: | 969C0DB048EAC4A9B447A0C0C463A7983F1B4091B6206E274B9D249F8311439B6C33F5AA1EDF9CD1AA27502DA49378D3E1B45F16909C55DF830E51684E9648BE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\fyldebtten.soi
Download File
| Process: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 210366 |
| Entropy (8bit): | 1.240975322465592 |
| Encrypted: | false |
| SSDEEP: | 768:vBTwJOLxCIF0V6iLboHog6BQlsMqlN1R0pmGy30wbfq6+9GmlsNh34k0uJ/QohER:cJigyyDJnLH7zA |
| MD5: | AEF78D8D561E8802286A78AAC6C73ED6 |
| SHA1: | DDF5DA649482D0A553802827BB9F0EF64A7069E1 |
| SHA-256: | 45F24543C01C9A11CC2246A9B27569AF433EEF61C877A4E191B683315D3566BE |
| SHA-512: | 93D43C0CECADF8E1F507F8E58D2B4D92995D8F7ECF213A23559938B380033A6D0D80B0816A8D6603864F821F4FEDC988E0F79BE14C6892089178970E08DC4199 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\wildwestfilm.sto
Download File
| Process: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 363811 |
| Entropy (8bit): | 1.2512349423386382 |
| Encrypted: | false |
| SSDEEP: | 768:y2f405GRYtnSLOBbyCociR2TVuEpHsVURGxwGmXjyMB+CtKDOgt9rlHF1QOs+9m5:pIuagbnK7CwVwFpYogwhUsvCq |
| MD5: | BFEA15C03AB295424981A73637A19491 |
| SHA1: | A5ADABDDC373D6B3004F96946D84B651E42D9F5C |
| SHA-256: | 83E9CE74259889DCABD39D41131F286882B224698DCDEB8D0B4074069AAA687B |
| SHA-512: | CB5969BFFAED8AF1791938E924E0CC9F876E45165F4E7EA5E9249131FACA831C0600F14BD68EF041D18C81A3FBE087970043D1B3B8A6786C1E5E5049834D4D0D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.655335921632966 |
| Encrypted: | false |
| SSDEEP: | 192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9 |
| MD5: | EE260C45E97B62A5E42F17460D406068 |
| SHA1: | DF35F6300A03C4D3D3BD69752574426296B78695 |
| SHA-256: | E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27 |
| SHA-512: | A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1156 |
| Entropy (8bit): | 3.250976511083343 |
| Encrypted: | false |
| SSDEEP: | 12:8wl0asXowAOcQ/tz0/CSL6/cBnwgXl341DEDeG41DED/RKQ1olfW+kjcmAahTCN7:8xLDWLrFPjPL9izZMspdqy |
| MD5: | DA3120C581FD7369156BF3B9B82815B5 |
| SHA1: | 12B60059AE6BCFFFADEB2D4BDD2B4000E5295362 |
| SHA-256: | 5EA5E2BC538A59AA6F16F46991007F577B6EA4B456D42CBBDCF25EAB84FFA971 |
| SHA-512: | B65020A6B78960BED204A4F4C39BEE4BD43E28349DB8D61C91788D6600E89204DFFB4D9087434D8A924994C04C8C36F2A3D69563FDA8AE1D34A333F017AC2FD6 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.958449020228623 |
| TrID: |
|
| File name: | SWIFT091816-24_pdf.exe |
| File size: | 434'942 bytes |
| MD5: | 397346c3391583257950cfe556f0a5e6 |
| SHA1: | 10db5f36ad73ec9757cc05e04aef346a5e486fd5 |
| SHA256: | 342df796e039d1c4b24525eabc4a9e98ce5ff399a4d9ca92dc10b2b87a84c120 |
| SHA512: | 1761d7e174889423f882fc8ae6c993d9aefd99469f4d4245646cf7bd3bd50ef438c381d40432c973057248ac6eb4434b7f87c1f76bd685323c793aff4ae87ebd |
| SSDEEP: | 12288:I5A6gahpmuyaqry4+bTuT+P33xOFL6IR8u7Jj1JK8s5FEeKI:ZFYcu6uu4CvR8u7Jj1Jicex |
| TLSH: | A59423513330EA72E8A14B354F379BF76A7A731545A05F0F8F64699838223C2CC6F969 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L......V.................d......... |
 | |
| Icon Hash: | 3d2e0f95332b3399 |
| Entrypoint: | 0x4032a0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x567F847F [Sun Dec 27 06:26:07 2015 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d4b94e8ee3f620a89d114b9da4b31873 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebp |
| push esi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+0Ch], ebp |
| push 00008001h |
| mov dword ptr [esp+0Ch], 0040A300h |
| mov dword ptr [esp+18h], ebp |
| call dword ptr [004080B0h] |
| call dword ptr [004080ACh] |
| cmp ax, 00000006h |
| je 00007F64AC8264E3h |
| push ebp |
| call 00007F64AC829626h |
| cmp eax, ebp |
| je 00007F64AC8264D9h |
| push 00000C00h |
| call eax |
| push ebx |
| push edi |
| push 0040A2F4h |
| call 00007F64AC8295A3h |
| push 0040A2ECh |
| call 00007F64AC829599h |
| push 0040A2E0h |
| call 00007F64AC82958Fh |
| push 00000009h |
| call 00007F64AC8295F4h |
| push 00000007h |
| call 00007F64AC8295EDh |
| mov dword ptr [00434F04h], eax |
| call dword ptr [00408044h] |
| push ebp |
| call dword ptr [004082A8h] |
| mov dword ptr [00434FB8h], eax |
| push ebp |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebp |
| push 0042B228h |
| call dword ptr [0040818Ch] |
| push 0040A2C8h |
| push 00433F00h |
| call 00007F64AC8291DAh |
| call dword ptr [004080A8h] |
| mov ebx, 0043F000h |
| push eax |
| push ebx |
| call 00007F64AC8291C8h |
| push ebp |
| call dword ptr [00408178h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x85c8 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5d000 | 0x11e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x637c | 0x6400 | 83ff228d6dae8dd738eb2f78afbc793f | False | 0.672421875 | data | 6.491609540807675 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x147c | 0x1600 | d9f9b0b330e238260616b62a7a3cac09 | False | 0.42933238636363635 | data | 4.973928345594701 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x2aff8 | 0x600 | 3f2b05c8fbb8b2e4c9c89e93d30e7252 | False | 0.53125 | data | 4.133631086111171 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x35000 | 0x28000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x5d000 | 0x11e0 | 0x1200 | 20639f4e7c421f5379e2fb9ea4a1530d | False | 0.3684895833333333 | data | 4.485045860065118 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x5d268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x5d5d0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.42473118279569894 |
| RT_DIALOG | 0x5d8b8 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0x5da00 | 0x13c | data | English | United States | 0.5506329113924051 |
| RT_DIALOG | 0x5db40 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x5dc40 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x5dd60 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x5de28 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x5de88 | 0x14 | data | English | United States | 1.2 |
| RT_MANIFEST | 0x5dea0 | 0x33f | XML 1.0 document, ASCII text, with very long lines (831), with no line terminators | English | United States | 0.5547533092659447 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
| ADVAPI32.dll | RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-16T09:05:33.778781+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.4 | 49804 | 172.217.19.174 | 443 | TCP |
| 2024-12-16T09:05:41.724171+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49826 | 193.122.6.168 | 80 | TCP |
| 2024-12-16T09:05:49.708588+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49826 | 193.122.6.168 | 80 | TCP |
| 2024-12-16T09:05:51.900356+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49852 | 149.154.167.220 | 443 | TCP |
| 2024-12-16T09:05:53.508834+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49858 | 193.122.6.168 | 80 | TCP |
| 2024-12-16T09:05:55.509609+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49861 | 149.154.167.220 | 443 | TCP |
| 2024-12-16T09:05:59.009494+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49872 | 149.154.167.220 | 443 | TCP |
| 2024-12-16T09:06:02.572563+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49883 | 149.154.167.220 | 443 | TCP |
| 2024-12-16T09:06:06.332693+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49891 | 149.154.167.220 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 16, 2024 09:05:31.147376060 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:31.147422075 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:31.147511959 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:31.165493965 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:31.165534973 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:32.866229057 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:32.866326094 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:32.867393970 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:32.867468119 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:32.946434021 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:32.946512938 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:32.946986914 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:32.947062016 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:32.951417923 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:32.995383024 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:33.778799057 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:33.778882980 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:33.778891087 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:33.778923035 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:33.779854059 CET | 49804 | 443 | 192.168.2.4 | 172.217.19.174 |
| Dec 16, 2024 09:05:33.779874086 CET | 443 | 49804 | 172.217.19.174 | 192.168.2.4 |
| Dec 16, 2024 09:05:33.933680058 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:33.933722973 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:33.933783054 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:33.934046030 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:33.934062958 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:35.634788990 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:35.634923935 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:35.640613079 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:35.640635014 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:35.640943050 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:35.642479897 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:35.656537056 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:35.699348927 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.552872896 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.552988052 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.565912962 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.566004992 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.672166109 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.672280073 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.672292948 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.673542023 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.676326990 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.677331924 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.744189024 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.744580984 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.748074055 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.748166084 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.748173952 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.748836040 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.753772020 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.756557941 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.761651993 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.764991045 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.764997005 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.765038967 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.770908117 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.773503065 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.773762941 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.773924112 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.780189037 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.780971050 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.787563086 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.787620068 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.791441917 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.792694092 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.801289082 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.805525064 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.805531979 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.805589914 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.814812899 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.814917088 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.818023920 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.821515083 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.828466892 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.828982115 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.831650972 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.831727028 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.842170954 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.842286110 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.845347881 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.845447063 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.855901003 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.856724024 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.859127998 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.859178066 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.869621992 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.869679928 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.869719982 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.869779110 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.883246899 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.884483099 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.903295040 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.903382063 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.903394938 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.903433084 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.935935974 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.936031103 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.936043024 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.936084032 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.938086033 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.938132048 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.942645073 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.942697048 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.942722082 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.942760944 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.946393013 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.946445942 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.946470976 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.946506977 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.958904028 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.958956957 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.960294962 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.960345030 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.960354090 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.960397959 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.969774008 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.969835043 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.969908953 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.969954014 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.980671883 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.980740070 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.980830908 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.980880022 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.989608049 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.989679098 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:38.989684105 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:38.989727974 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.002029896 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.002151966 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.002166033 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.002237082 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.011015892 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.011102915 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.011115074 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.011158943 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.021136999 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.021193981 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.021243095 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.021280050 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.031052113 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.031167030 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.031193972 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.031251907 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.040024042 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.040096998 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.040117025 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.040149927 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.050889015 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.051017046 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.051207066 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.051248074 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.058753967 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.058840036 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.058850050 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.058903933 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.067821026 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.067871094 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.067914009 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.067950964 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.076564074 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.076622963 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.076790094 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.076826096 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.076832056 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.076869011 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.077971935 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.078008890 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.078064919 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.078092098 CET | 443 | 49812 | 142.250.181.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.078134060 CET | 49812 | 443 | 192.168.2.4 | 142.250.181.1 |
| Dec 16, 2024 09:05:39.849540949 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:39.969441891 CET | 80 | 49826 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.969645977 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:39.969947100 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:40.089787960 CET | 80 | 49826 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:41.243218899 CET | 80 | 49826 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:41.247028112 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:41.366830111 CET | 80 | 49826 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:41.675928116 CET | 80 | 49826 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:41.724170923 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:42.148387909 CET | 49832 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 16, 2024 09:05:42.148451090 CET | 443 | 49832 | 104.21.67.152 | 192.168.2.4 |
| Dec 16, 2024 09:05:42.148523092 CET | 49832 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 16, 2024 09:05:42.152631998 CET | 49832 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 16, 2024 09:05:42.152663946 CET | 443 | 49832 | 104.21.67.152 | 192.168.2.4 |
| Dec 16, 2024 09:05:43.368091106 CET | 443 | 49832 | 104.21.67.152 | 192.168.2.4 |
| Dec 16, 2024 09:05:43.368242979 CET | 49832 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 16, 2024 09:05:43.372093916 CET | 49832 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 16, 2024 09:05:43.372147083 CET | 443 | 49832 | 104.21.67.152 | 192.168.2.4 |
| Dec 16, 2024 09:05:43.372443914 CET | 443 | 49832 | 104.21.67.152 | 192.168.2.4 |
| Dec 16, 2024 09:05:43.376308918 CET | 49832 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 16, 2024 09:05:43.419339895 CET | 443 | 49832 | 104.21.67.152 | 192.168.2.4 |
| Dec 16, 2024 09:05:43.808037996 CET | 443 | 49832 | 104.21.67.152 | 192.168.2.4 |
| Dec 16, 2024 09:05:43.808118105 CET | 443 | 49832 | 104.21.67.152 | 192.168.2.4 |
| Dec 16, 2024 09:05:43.808180094 CET | 49832 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 16, 2024 09:05:43.822886944 CET | 49832 | 443 | 192.168.2.4 | 104.21.67.152 |
| Dec 16, 2024 09:05:49.255486965 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:49.376686096 CET | 80 | 49826 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:49.660937071 CET | 80 | 49826 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:49.708587885 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:49.803417921 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:49.803546906 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:49.803700924 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:49.804147005 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:49.804181099 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:51.170268059 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:51.170392036 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:51.188374043 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:51.188457012 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:51.188801050 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:51.190689087 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:51.235335112 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:51.235435963 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:51.235460997 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:51.900382996 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:51.900486946 CET | 443 | 49852 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:51.900569916 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:51.901094913 CET | 49852 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:52.072551012 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:52.073790073 CET | 49858 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:52.192671061 CET | 80 | 49826 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:52.192724943 CET | 49826 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:52.193563938 CET | 80 | 49858 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:52.193945885 CET | 49858 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:52.194066048 CET | 49858 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:52.313707113 CET | 80 | 49858 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:53.462896109 CET | 80 | 49858 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:53.465639114 CET | 49861 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:53.465686083 CET | 443 | 49861 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:53.465759993 CET | 49861 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:53.466325045 CET | 49861 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:53.466341019 CET | 443 | 49861 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:53.508833885 CET | 49858 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:54.834935904 CET | 443 | 49861 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:54.836661100 CET | 49861 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:54.836680889 CET | 443 | 49861 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:54.836801052 CET | 49861 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:54.836807966 CET | 443 | 49861 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:55.509648085 CET | 443 | 49861 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:55.509758949 CET | 443 | 49861 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:55.509969950 CET | 49861 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:55.510580063 CET | 49861 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:55.529897928 CET | 49866 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:55.649844885 CET | 80 | 49866 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:55.649967909 CET | 49866 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:55.650152922 CET | 49866 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:55.770112991 CET | 80 | 49866 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:56.931538105 CET | 80 | 49866 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:56.937427998 CET | 49872 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:56.937530994 CET | 443 | 49872 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:56.938441992 CET | 49872 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:56.938687086 CET | 49872 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:56.938720942 CET | 443 | 49872 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:56.974246025 CET | 49866 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:58.300648928 CET | 443 | 49872 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:58.302834988 CET | 49872 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:58.302860975 CET | 443 | 49872 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:58.302937031 CET | 49872 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:58.302944899 CET | 443 | 49872 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:59.009798050 CET | 443 | 49872 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:59.010135889 CET | 443 | 49872 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:05:59.010251999 CET | 49872 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:59.012065887 CET | 49872 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:05:59.078331947 CET | 49866 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:59.078958035 CET | 49878 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:59.198379040 CET | 80 | 49866 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:59.198458910 CET | 49866 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:59.198690891 CET | 80 | 49878 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:05:59.198761940 CET | 49878 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:59.198889971 CET | 49878 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:05:59.318608999 CET | 80 | 49878 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:00.557987928 CET | 80 | 49878 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:00.559334040 CET | 49883 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:00.559379101 CET | 443 | 49883 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:00.559607029 CET | 49883 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:00.559787989 CET | 49883 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:00.559798002 CET | 443 | 49883 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:00.599277020 CET | 49878 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:01.921646118 CET | 443 | 49883 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:01.924176931 CET | 49883 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:01.924185038 CET | 443 | 49883 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:01.924268007 CET | 49883 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:01.924278021 CET | 443 | 49883 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:02.572581053 CET | 443 | 49883 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:02.572751045 CET | 443 | 49883 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:02.572865009 CET | 49883 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:02.573100090 CET | 49883 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:02.590357065 CET | 49878 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:02.591135979 CET | 49889 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:02.710591078 CET | 80 | 49878 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:02.710678101 CET | 49878 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:02.710913897 CET | 80 | 49889 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:02.711026907 CET | 49889 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:02.711199045 CET | 49889 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:02.830842972 CET | 80 | 49889 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:03.982750893 CET | 80 | 49889 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:03.987715960 CET | 49891 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:03.987802982 CET | 443 | 49891 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:03.987893105 CET | 49891 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:03.988151073 CET | 49891 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:03.988187075 CET | 443 | 49891 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:04.036623955 CET | 49889 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:05.356656075 CET | 443 | 49891 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:05.358299017 CET | 49891 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:05.358330965 CET | 443 | 49891 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:05.358393908 CET | 49891 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:05.358407021 CET | 443 | 49891 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:06.332748890 CET | 443 | 49891 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:06.333041906 CET | 443 | 49891 | 149.154.167.220 | 192.168.2.4 |
| Dec 16, 2024 09:06:06.333137989 CET | 49891 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:09.018450022 CET | 49891 | 443 | 192.168.2.4 | 149.154.167.220 |
| Dec 16, 2024 09:06:09.020941019 CET | 49889 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:09.022054911 CET | 49906 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:09.141216993 CET | 80 | 49889 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:09.141294956 CET | 49889 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:09.141726017 CET | 80 | 49906 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:09.141840935 CET | 49906 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:09.141936064 CET | 49906 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 16, 2024 09:06:09.261701107 CET | 80 | 49906 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:10.473161936 CET | 80 | 49906 | 193.122.6.168 | 192.168.2.4 |
| Dec 16, 2024 09:06:10.521009922 CET | 49906 | 80 | 192.168.2.4 | 193.122.6.168 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 16, 2024 09:05:31.004317999 CET | 56373 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2024 09:05:31.141685009 CET | 53 | 56373 | 1.1.1.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:33.791688919 CET | 59293 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2024 09:05:33.930509090 CET | 53 | 59293 | 1.1.1.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:39.480732918 CET | 60052 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2024 09:05:39.844990969 CET | 53 | 60052 | 1.1.1.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:42.007061005 CET | 58972 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2024 09:05:42.147551060 CET | 53 | 58972 | 1.1.1.1 | 192.168.2.4 |
| Dec 16, 2024 09:05:49.665357113 CET | 53141 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2024 09:05:49.802562952 CET | 53 | 53141 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 16, 2024 09:05:31.004317999 CET | 192.168.2.4 | 1.1.1.1 | 0x673c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 16, 2024 09:05:33.791688919 CET | 192.168.2.4 | 1.1.1.1 | 0xf916 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 16, 2024 09:05:39.480732918 CET | 192.168.2.4 | 1.1.1.1 | 0x493c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 16, 2024 09:05:42.007061005 CET | 192.168.2.4 | 1.1.1.1 | 0x480a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 16, 2024 09:05:49.665357113 CET | 192.168.2.4 | 1.1.1.1 | 0xab3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 16, 2024 09:05:31.141685009 CET | 1.1.1.1 | 192.168.2.4 | 0x673c | No error (0) | 172.217.19.174 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:33.930509090 CET | 1.1.1.1 | 192.168.2.4 | 0xf916 | No error (0) | 142.250.181.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:39.844990969 CET | 1.1.1.1 | 192.168.2.4 | 0x493c | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:39.844990969 CET | 1.1.1.1 | 192.168.2.4 | 0x493c | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:39.844990969 CET | 1.1.1.1 | 192.168.2.4 | 0x493c | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:39.844990969 CET | 1.1.1.1 | 192.168.2.4 | 0x493c | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:39.844990969 CET | 1.1.1.1 | 192.168.2.4 | 0x493c | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:39.844990969 CET | 1.1.1.1 | 192.168.2.4 | 0x493c | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:42.147551060 CET | 1.1.1.1 | 192.168.2.4 | 0x480a | No error (0) | 104.21.67.152 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:42.147551060 CET | 1.1.1.1 | 192.168.2.4 | 0x480a | No error (0) | 172.67.177.134 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2024 09:05:49.802562952 CET | 1.1.1.1 | 192.168.2.4 | 0xab3 | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49826 | 193.122.6.168 | 80 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 16, 2024 09:05:39.969947100 CET | 151 | OUT | |
| Dec 16, 2024 09:05:41.243218899 CET | 321 | IN | |
| Dec 16, 2024 09:05:41.247028112 CET | 127 | OUT | |
| Dec 16, 2024 09:05:41.675928116 CET | 321 | IN | |
| Dec 16, 2024 09:05:49.255486965 CET | 127 | OUT | |
| Dec 16, 2024 09:05:49.660937071 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49858 | 193.122.6.168 | 80 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 16, 2024 09:05:52.194066048 CET | 127 | OUT | |
| Dec 16, 2024 09:05:53.462896109 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49866 | 193.122.6.168 | 80 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 16, 2024 09:05:55.650152922 CET | 151 | OUT | |
| Dec 16, 2024 09:05:56.931538105 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49878 | 193.122.6.168 | 80 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 16, 2024 09:05:59.198889971 CET | 151 | OUT | |
| Dec 16, 2024 09:06:00.557987928 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49889 | 193.122.6.168 | 80 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 16, 2024 09:06:02.711199045 CET | 151 | OUT | |
| Dec 16, 2024 09:06:03.982750893 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 5 | 192.168.2.4 | 49906 | 193.122.6.168 | 80 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 16, 2024 09:06:09.141936064 CET | 151 | OUT | |
| Dec 16, 2024 09:06:10.473161936 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49804 | 172.217.19.174 | 443 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-16 08:05:32 UTC | 216 | OUT | |
| 2024-12-16 08:05:33 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49812 | 142.250.181.1 | 443 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-16 08:05:35 UTC | 258 | OUT | |
| 2024-12-16 08:05:38 UTC | 4932 | IN | |
| 2024-12-16 08:05:38 UTC | 4932 | IN | |
| 2024-12-16 08:05:38 UTC | 4833 | IN | |
| 2024-12-16 08:05:38 UTC | 1323 | IN | |
| 2024-12-16 08:05:38 UTC | 1390 | IN | |
| 2024-12-16 08:05:38 UTC | 1390 | IN | |
| 2024-12-16 08:05:38 UTC | 1390 | IN | |
| 2024-12-16 08:05:38 UTC | 1390 | IN | |
| 2024-12-16 08:05:38 UTC | 1390 | IN | |
| 2024-12-16 08:05:38 UTC | 1390 | IN | |
| 2024-12-16 08:05:38 UTC | 1390 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49832 | 104.21.67.152 | 443 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-16 08:05:43 UTC | 85 | OUT | |
| 2024-12-16 08:05:43 UTC | 886 | IN | |
| 2024-12-16 08:05:43 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49852 | 149.154.167.220 | 443 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-16 08:05:51 UTC | 295 | OUT | |
| 2024-12-16 08:05:51 UTC | 1090 | OUT | |
| 2024-12-16 08:05:51 UTC | 388 | IN | |
| 2024-12-16 08:05:51 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49861 | 149.154.167.220 | 443 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-16 08:05:54 UTC | 295 | OUT | |
| 2024-12-16 08:05:54 UTC | 1090 | OUT | |
| 2024-12-16 08:05:55 UTC | 388 | IN | |
| 2024-12-16 08:05:55 UTC | 545 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49872 | 149.154.167.220 | 443 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-16 08:05:58 UTC | 271 | OUT | |
| 2024-12-16 08:05:58 UTC | 1090 | OUT | |
| 2024-12-16 08:05:59 UTC | 388 | IN | |
| 2024-12-16 08:05:59 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49883 | 149.154.167.220 | 443 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-16 08:06:01 UTC | 295 | OUT | |
| 2024-12-16 08:06:01 UTC | 1090 | OUT | |
| 2024-12-16 08:06:02 UTC | 388 | IN | |
| 2024-12-16 08:06:02 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49891 | 149.154.167.220 | 443 | 7844 | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-16 08:06:05 UTC | 271 | OUT | |
| 2024-12-16 08:06:05 UTC | 1090 | OUT | |
| 2024-12-16 08:06:06 UTC | 388 | IN | |
| 2024-12-16 08:06:06 UTC | 542 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 03:04:00 |
| Start date: | 16/12/2024 |
| Path: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 434'942 bytes |
| MD5 hash: | 397346C3391583257950CFE556F0A5E6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 03:05:17 |
| Start date: | 16/12/2024 |
| Path: | C:\Users\user\Desktop\SWIFT091816-24_pdf.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 434'942 bytes |
| MD5 hash: | 397346C3391583257950CFE556F0A5E6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 21.7% |
| Dynamic/Decrypted Code Coverage: | 14% |
| Signature Coverage: | 25.1% |
| Total number of Nodes: | 1511 |
| Total number of Limit Nodes: | 47 |
Graph
Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406398 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100028A4 Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040686A Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407041 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 10.1% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 2.4% |
| Total number of Nodes: | 254 |
| Total number of Limit Nodes: | 14 |
Graph
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36004328 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36008E0C Relevance: 4.8, Strings: 3, Instructions: 1079COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360027B9 Relevance: 3.2, Strings: 2, Instructions: 716COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394EE7C8 Relevance: 2.0, Strings: 1, Instructions: 764COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBBDF0 Relevance: 2.0, Strings: 1, Instructions: 758COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38410C1A Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38410C28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBA360 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB9D10 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBA9B0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB96C8 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB96B8 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBA9A0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB8650 Relevance: .7, Instructions: 709COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBF136 Relevance: .3, Instructions: 330COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841C638 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 384103AF Relevance: .3, Instructions: 285COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB29B8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38410F6F Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBBA97 Relevance: .2, Instructions: 191COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3600311B Relevance: .2, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB8640 Relevance: .2, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBC92F Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB9D00 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBA352 Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360068E5 Relevance: 6.6, Strings: 5, Instructions: 355COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394E0978 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394E0980 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB7920 Relevance: 3.9, Strings: 3, Instructions: 147COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36007458 Relevance: 3.2, Strings: 2, Instructions: 692COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360054A8 Relevance: 2.7, Strings: 2, Instructions: 209COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBFAB0 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36004F24 Relevance: 2.7, Strings: 2, Instructions: 163COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36008BF0 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBFAA1 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB7911 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394E1DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394E0BC0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394E0BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394EE6F7 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394EC560 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394EE700 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394E2020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394ED3EE Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394EE708 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 394EE712 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36000B29 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36000B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBCF68 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBCF59 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB95E8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBC173 Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36005068 Relevance: .2, Instructions: 204COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36006C98 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBBA88 Relevance: .2, Instructions: 177COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBC4CF Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBCC28 Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36003168 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB8721 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360092C3 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36004620 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36006F30 Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36006F40 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360018C8 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360052BA Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 35EFD030 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3600324D Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36004612 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36000EC8 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36008729 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3600B2E0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360052C8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360017C8 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBB9C8 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBB9C7 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36004E5F Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBE7F4 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3600B2F0 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBF098 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBCE50 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBB9C1 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBCE60 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBEC22 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB9608 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36008BE0 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3600B168 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36009F1F Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36001877 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3600FE20 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36001888 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36007EC0 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 360056FF Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36009F6D Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3600FF30 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB95D8 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBD72F Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBBD48 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36005710 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBD0A1 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB94B4 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBCF39 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3600B2C2 Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032A0 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 401stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBAFF8 Relevance: 23.0, Strings: 18, Instructions: 461COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBAFF6 Relevance: 12.9, Strings: 10, Instructions: 362COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB7B4F Relevance: 3.1, Strings: 2, Instructions: 603COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB5660 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB8193 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB8373 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841B930 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841B07F Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841B4D8 Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841DEE1 Relevance: .3, Instructions: 273COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841DA89 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841EBF2 Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB7070 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB1858 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB4820 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB2108 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB5AB8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB3268 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB5208 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB43C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB6368 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB3B18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB74C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB1CB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB6C18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB1400 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB4DB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB2560 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB36C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB2E10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB67C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB0FA8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB3F70 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FB5F10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841C1F2 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841F05A Relevance: .3, Instructions: 264COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841BDA2 Relevance: .3, Instructions: 264COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841E790 Relevance: .3, Instructions: 254COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3841E339 Relevance: .3, Instructions: 252COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38FBCBE7 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B6 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040389E Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045B4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406077 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405683 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|