Edit tour
Windows
Analysis Report
YcxjdYUKIb.exe
Overview
General Information
| Sample name: | YcxjdYUKIb.exerenamed because original name is a hash value |
| Original sample name: | dd6f40ba5347afaba9cf9b57ad2e9a612e7fd5d0d93ea5a80d59e43c4c58af8b.exe |
| Analysis ID: | 1577213 |
| MD5: | e89c4510fd982d44f3b6c4d4671d50fd |
| SHA1: | b5f45fc5723466fb2c0ef4aa55453408c9bd022b |
| SHA256: | dd6f40ba5347afaba9cf9b57ad2e9a612e7fd5d0d93ea5a80d59e43c4c58af8b |
| Tags: | 139-99-188-124exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
PureCrypter, PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
YcxjdYUKIb.exe (PID: 3744 cmdline: "C:\Users\ user\Deskt op\YcxjdYU KIb.exe" MD5: E89C4510FD982D44F3B6C4D4671D50FD)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| PureCrypter | According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T09:40:42.358030+0100 | 2035595 | 1 | Domain Observed Used for C2 Detected | 139.99.188.124 | 56001 | 192.168.2.4 | 49730 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_01630D50 | |
| Source: | Code function: | 0_2_0163A740 | |
| Source: | Code function: | 0_2_01630D42 | |
| Source: | Code function: | 0_2_03072C40 | |
| Source: | Code function: | 0_2_0307530B | |
| Source: | Code function: | 0_2_0307331B | |
| Source: | Code function: | 0_2_03073B3B | |
| Source: | Code function: | 0_2_0307434B | |
| Source: | Code function: | 0_2_03074B6A | |
| Source: | Code function: | 0_2_03073371 | |
| Source: | Code function: | 0_2_03074B95 | |
| Source: | Code function: | 0_2_03073B99 | |
| Source: | Code function: | 0_2_030753B7 | |
| Source: | Code function: | 0_2_03074BBE | |
| Source: | Code function: | 0_2_03073BCF | |
| Source: | Code function: | 0_2_03074BEC | |
| Source: | Code function: | 0_2_03073206 | |
| Source: | Code function: | 0_2_03075242 | |
| Source: | Code function: | 0_2_03074281 | |
| Source: | Code function: | 0_2_03075280 | |
| Source: | Code function: | 0_2_03073A94 | |
| Source: | Code function: | 0_2_03073ACE | |
| Source: | Code function: | 0_2_03075106 | |
| Source: | Code function: | 0_2_0307490D | |
| Source: | Code function: | 0_2_03075131 | |
| Source: | Code function: | 0_2_0307395D | |
| Source: | Code function: | 0_2_0307416A | |
| Source: | Code function: | 0_2_0307398E | |
| Source: | Code function: | 0_2_030751CF | |
| Source: | Code function: | 0_2_030731CC | |
| Source: | Code function: | 0_2_030739E7 | |
| Source: | Code function: | 0_2_030749F9 | |
| Source: | Code function: | 0_2_03073016 | |
| Source: | Code function: | 0_2_03074022 | |
| Source: | Code function: | 0_2_03075056 | |
| Source: | Code function: | 0_2_03073059 | |
| Source: | Code function: | 0_2_030740DF | |
| Source: | Code function: | 0_2_030750DD | |
| Source: | Code function: | 0_2_03075738 | |
| Source: | Code function: | 0_2_03072F53 | |
| Source: | Code function: | 0_2_03075F51 | |
| Source: | Code function: | 0_2_03075763 | |
| Source: | Code function: | 0_2_03075F60 | |
| Source: | Code function: | 0_2_0307376C | |
| Source: | Code function: | 0_2_03072F7B | |
| Source: | Code function: | 0_2_03073797 | |
| Source: | Code function: | 0_2_03072F9E | |
| Source: | Code function: | 0_2_03073F98 | |
| Source: | Code function: | 0_2_03072FB3 | |
| Source: | Code function: | 0_2_030737C0 | |
| Source: | Code function: | 0_2_03074FD6 | |
| Source: | Code function: | 0_2_030757DB | |
| Source: | Code function: | 0_2_0307463F | |
| Source: | Code function: | 0_2_03074E47 | |
| Source: | Code function: | 0_2_03073687 | |
| Source: | Code function: | 0_2_03074695 | |
| Source: | Code function: | 0_2_03073EA2 | |
| Source: | Code function: | 0_2_030756F0 | |
| Source: | Code function: | 0_2_0307450E | |
| Source: | Code function: | 0_2_03073D26 | |
| Source: | Code function: | 0_2_03075590 | |
| Source: | Code function: | 0_2_030745C2 | |
| Source: | Code function: | 0_2_0307340B | |
| Source: | Code function: | 0_2_03074C17 | |
| Source: | Code function: | 0_2_03074413 | |
| Source: | Code function: | 0_2_03074C42 | |
| Source: | Code function: | 0_2_03073CA3 | |
| Source: | Code function: | 0_2_03073CF8 | |
| Source: | Code function: | 0_2_030754F8 | |
| Source: | Code function: | 0_2_0309F330 | |
| Source: | Code function: | 0_2_0309F690 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | .Net Code: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_01634E0A | |
| Source: | Code function: | 0_2_03071391 | |
| Source: | Static PE information: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | High entropy of concatenated method names: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 321 Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Disable or Modify Tools | OS Credential Dumping | 1 Query Registry | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 341 Virtualization/Sandbox Evasion | LSASS Memory | 421 Security Software Discovery | Remote Desktop Protocol | 1 Data from Local System | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 341 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 12 Software Packing | Cached Domain Credentials | 213 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Timestomp | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 69% | Virustotal | Browse | ||
| 55% | ReversingLabs | Win32.Trojan.Barys | ||
| 100% | Avira | HEUR/AGEN.1327055 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | 217.20.58.98 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 139.99.188.124 | unknown | Canada | 16276 | OVHFR | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1577213 |
| Start date and time: | 2024-12-18 09:39:32 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 1s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | YcxjdYUKIb.exerenamed because original name is a hash value |
| Original Sample Name: | dd6f40ba5347afaba9cf9b57ad2e9a612e7fd5d0d93ea5a80d59e43c4c58af8b.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/2@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 217.20.58.98, 52.149.20.212, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 03:40:44 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 139.99.188.124 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| OVHFR | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | PureCrypter, PureLog Stealer | Browse |
| ||
| Get hash | malicious | PureCrypter | Browse |
| ||
| Get hash | malicious | PureCrypter | Browse |
| ||
| Get hash | malicious | PureCrypter | Browse |
| ||
| Get hash | malicious | PureCrypter, PureLog Stealer | Browse |
| ||
| Get hash | malicious | PureCrypter | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 
Download File
| Process: | C:\Users\user\Desktop\YcxjdYUKIb.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 71954 |
| Entropy (8bit): | 7.996617769952133 |
| Encrypted: | true |
| SSDEEP: | 1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ |
| MD5: | 49AEBF8CBD62D92AC215B2923FB1B9F5 |
| SHA1: | 1723BE06719828DDA65AD804298D0431F6AFF976 |
| SHA-256: | B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F |
| SHA-512: | BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
| Process: | C:\Users\user\Desktop\YcxjdYUKIb.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 328 |
| Entropy (8bit): | 3.1302776811683923 |
| Encrypted: | false |
| SSDEEP: | 6:kKnJ9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:P4DnLNkPlE99SNxAhUe/3 |
| MD5: | 58C3E17A5E7E1D63E85D346BB74EAA7A |
| SHA1: | EC552A3C7CDEB97E4E7EDFE83406765B67C5DF05 |
| SHA-256: | FCF094E169E0913B3B4C8F80828E1A64479C0535E6E3F00D4A7222269CF0DE91 |
| SHA-512: | 0D412AAD682A08870679A1712EF2962C033EA6321FA38BE342C91CE56DE0671591D39F593519B18925A5486B793C9BC8EA82E67185D87C4F9B36B1696ED84FE2 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.637926592050706 |
| TrID: |
|
| File name: | YcxjdYUKIb.exe |
| File size: | 538'624 bytes |
| MD5: | e89c4510fd982d44f3b6c4d4671d50fd |
| SHA1: | b5f45fc5723466fb2c0ef4aa55453408c9bd022b |
| SHA256: | dd6f40ba5347afaba9cf9b57ad2e9a612e7fd5d0d93ea5a80d59e43c4c58af8b |
| SHA512: | e4c2d08e77ffd7c13e0534ebf6cbe4174f50fb059988b4a6b8fc6b9f5db0c5dd1f16ee55c5cb90c0707dcc7cddf0d3d42627f112b6995d0e51b5d5caa16d57f4 |
| SSDEEP: | 6144:fGat1v6OW/Ib6ZMqokt4+jhyUStzSUOdO5BCMx62pSa6N7vZoDmHS4WhA0Go8BBx:fJAOrkt4+UUf0CMBWGSy4GD8wCgq |
| TLSH: | 73B4D03F22A75F22C21D1974C9EF46104BF3DB8B7A37DB853E4512996D023E68E866C4 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@................0..............M... ...`....@.. ....................................@................................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x484d8e |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x8FFF4003 [Sun Jul 22 10:59:15 2046 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x84d40 | 0x4b | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x86000 | 0x560 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x88000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0x82d94 | 0x82e00 | 2dc3f87458032191e4c41ef45cf55aea | False | 0.8335515908548233 | data | 7.64998562736955 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x86000 | 0x560 | 0x600 | 64dadad36679409cedf2bd74b66c9e80 | False | 0.3990885416666667 | data | 3.9149661951548707 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x88000 | 0xc | 0x200 | fde373e73c23b7440a006aa5b70a20d5 | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x860a0 | 0x2d4 | data | 0.4350828729281768 | ||
| RT_MANIFEST | 0x86374 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T09:40:42.358030+0100 | 2035595 | ET MALWARE Generic AsyncRAT Style SSL Cert | 1 | 139.99.188.124 | 56001 | 192.168.2.4 | 49730 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 09:40:40.330415964 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:40.450164080 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:40:40.450269938 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:40.452238083 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:40.571728945 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:40:40.571854115 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:40.691282034 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:40:42.171268940 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:40:42.171400070 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:40:42.171561956 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:42.238209963 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:42.358030081 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:40:42.769444942 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:40:42.808732033 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:45.315948009 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:45.435743093 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:40:45.435822964 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:40:45.556299925 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:15.981971979 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:16.101422071 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:16.101505041 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:16.220985889 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:16.769582987 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:16.824434042 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:17.025590897 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:17.032419920 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:17.151961088 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:17.152096987 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:17.271631956 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:46.981256962 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:47.101130962 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:47.101203918 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:47.220793962 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:47.767656088 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:47.808866978 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:48.026654005 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:48.029160023 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:48.148701906 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:41:48.148798943 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:41:48.268261909 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:10.778101921 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:10.897876978 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:10.897964954 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:11.017663956 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:11.559325933 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:11.605755091 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:11.823585033 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:11.826195002 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:11.945696115 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:11.945899963 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:12.066406965 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:17.014141083 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:17.133912086 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:17.134002924 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:17.253833055 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:17.807460070 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:17.841260910 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:17.960910082 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:17.960973978 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:18.073621035 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:18.080574989 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:18.080629110 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:18.200169086 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:18.619569063 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:18.668265104 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:18.886501074 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:18.888681889 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:19.008229017 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:19.010214090 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:19.129832029 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:21.200315952 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:21.319994926 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:21.322202921 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:21.441920042 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:21.988250017 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:22.074533939 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:22.246762991 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:22.250016928 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:22.370059013 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:22.370105028 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:22.489978075 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:25.246733904 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:25.366384029 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:25.366617918 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:25.486650944 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:26.810388088 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:26.871412039 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:27.075911999 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:27.080229044 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:27.199800968 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:27.202752113 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:27.322506905 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:29.715749025 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:29.835436106 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:29.835673094 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:29.955394030 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:30.524528027 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:30.668309927 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:30.777060986 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:30.779787064 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:30.899463892 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:30.899580002 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:31.019479036 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:31.500135899 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:31.619854927 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:31.620223045 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:31.739701986 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:32.280119896 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:32.371474028 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:32.542732954 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:32.545280933 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:32.664803982 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:32.664872885 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:32.784584999 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:37.668596029 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:37.788202047 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:37.791759968 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:37.911325932 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:38.461436033 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:38.574572086 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:38.730246067 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:38.738984108 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:38.858566046 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:38.859456062 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:38.979089975 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:45.204257965 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:45.323976040 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:45.328284025 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:45.448112965 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:45.994911909 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:46.074598074 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:46.247795105 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:46.250309944 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:46.369962931 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:42:46.370022058 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:42:46.489641905 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:16.211127996 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:16.330877066 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:16.331068039 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:16.450761080 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:16.668915033 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:16.788645029 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:16.788701057 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:16.908273935 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:16.997684002 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:17.043412924 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:17.211026907 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:17.219770908 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:17.339363098 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:17.339512110 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:17.424901009 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:17.459137917 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:17.480922937 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:17.684583902 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:17.691358089 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:17.811516047 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:17.814373970 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:17.933996916 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:19.590624094 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:19.710390091 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:19.710545063 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:19.830347061 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:20.763128042 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:20.809066057 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:21.028536081 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:21.030441999 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:21.161325932 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:21.161474943 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:21.281229019 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:41.234448910 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:41.354350090 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:41.354484081 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:41.474123955 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:41.934406042 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:42.017577887 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.019756079 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:42.053980112 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.054066896 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:42.139708996 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.173696995 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.292706966 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.370004892 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:42.489757061 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.489826918 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:42.609443903 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.723100901 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.785164118 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:42.936933041 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:42.939661026 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:43.059425116 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:43.059509039 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:43.179713011 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:46.825335026 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:46.945250034 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:46.945565939 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:47.065273046 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:47.615391016 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:47.676935911 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:47.872266054 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:47.876570940 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:47.996170044 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:48.002770901 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:48.122595072 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:54.559777975 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:54.679676056 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:54.679747105 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:54.799428940 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:55.340529919 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:55.387295961 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:55.591989994 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:55.594083071 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:55.713850021 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:55.716355085 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:55.836072922 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:59.700326920 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:59.820694923 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:43:59.820859909 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:43:59.940736055 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:00.493736029 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:00.635637999 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:00.747720957 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:00.749520063 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:00.869203091 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:00.869271994 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:00.988976002 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:05.700330019 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:05.820363998 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:05.820600033 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:05.940291882 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:06.487421036 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:06.527932882 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:06.748748064 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:06.751198053 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:06.871001959 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:06.871083975 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:06.990758896 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:13.231484890 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:13.351397038 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:13.354423046 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:13.474040985 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:14.010888100 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:14.060369015 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:14.279486895 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:14.281795979 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:14.401366949 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:14.401437998 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:14.521110058 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:18.247147083 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:18.366897106 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:18.366980076 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:18.486634016 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:19.039160013 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:19.090461016 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:19.294971943 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:19.297224045 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:19.416861057 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:19.416933060 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:19.536559105 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:28.876066923 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:28.995750904 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:28.995810032 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:29.115770102 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:29.663021088 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:29.715516090 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:29.920238972 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:29.925982952 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:30.045671940 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:30.045746088 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:30.165796995 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:39.170002937 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:39.290808916 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:39.296020985 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:39.415730953 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:39.963107109 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:40.010808945 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Dec 18, 2024 09:44:40.217485905 CET | 56001 | 49730 | 139.99.188.124 | 192.168.2.4 |
| Dec 18, 2024 09:44:40.262521029 CET | 49730 | 56001 | 192.168.2.4 | 139.99.188.124 |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 09:40:43.024002075 CET | 1.1.1.1 | 192.168.2.4 | 0x7250 | No error (0) | default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 18, 2024 09:40:43.024002075 CET | 1.1.1.1 | 192.168.2.4 | 0x7250 | No error (0) | 217.20.58.98 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 09:40:43.024002075 CET | 1.1.1.1 | 192.168.2.4 | 0x7250 | No error (0) | 217.20.58.100 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 09:40:43.024002075 CET | 1.1.1.1 | 192.168.2.4 | 0x7250 | No error (0) | 217.20.58.101 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 09:40:43.024002075 CET | 1.1.1.1 | 192.168.2.4 | 0x7250 | No error (0) | 217.20.58.99 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 03:40:33 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\YcxjdYUKIb.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbe0000 |
| File size: | 538'624 bytes |
| MD5 hash: | E89C4510FD982D44F3B6C4D4671D50FD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 2% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 33 |
| Total number of Limit Nodes: | 1 |
Graph
Function 0309F690 Relevance: 8.2, Strings: 6, Instructions: 674COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0163A740 Relevance: 5.7, Strings: 4, Instructions: 669COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01630D42 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0309F330 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01630D50 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03072C40 Relevance: 2.1, Strings: 1, Instructions: 886COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06470A2D Relevance: 9.4, Strings: 7, Instructions: 649COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030086A8 Relevance: 6.6, Strings: 2, Instructions: 4052COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0647122F Relevance: 3.8, Strings: 3, Instructions: 84COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06470B38 Relevance: 2.8, Strings: 2, Instructions: 346COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0300C218 Relevance: 2.8, Strings: 2, Instructions: 314COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0163BF50 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06470448 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03072C30 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473E98 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473090 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06470637 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0300E070 Relevance: 1.3, Instructions: 1331COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475F51 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475F60 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473432 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0300868D Relevance: 1.3, Strings: 1, Instructions: 55COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0163CA10 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473440 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475FA7 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06471DD0 Relevance: .3, Instructions: 333COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030724BB Relevance: .2, Instructions: 228COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064715A2 Relevance: .2, Instructions: 225COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0647184F Relevance: .2, Instructions: 209COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0300F4CD Relevance: .2, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0300F4E8 Relevance: .2, Instructions: 193COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064716E1 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0155D3C8 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0156D01C Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06471C40 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0156D006 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0309EEA8 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06471D10 Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06476231 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0155D3C3 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064711B0 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0300E055 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06476931 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064711C0 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0155D819 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473E88 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473E97 Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030723F6 Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475CD0 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0155D818 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064740B8 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064729C8 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06476991 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030734C3 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064728D0 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475C97 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0309F1E8 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0647363A Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473FD8 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030778D0 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473E59 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06474890 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03072C07 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475ED0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475C20 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064740E8 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307E070 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0309F2F8 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0309FF60 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473411 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064728E0 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475CA8 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06472D10 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307FF40 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475D60 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06476180 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473FE8 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06472BB0 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475CE0 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307630E Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307347A Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06476811 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03076310 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307F2F0 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03071432 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03072C18 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03071438 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307F690 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307F6F0 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307EF90 Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06475B80 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06473420 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 064730A0 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 06472390 Relevance: .0, Instructions: 4COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307395D Relevance: .7, Instructions: 700COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073F98 Relevance: .7, Instructions: 690COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075280 Relevance: .7, Instructions: 686COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307490D Relevance: .7, Instructions: 685COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074695 Relevance: .7, Instructions: 685COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073B99 Relevance: .7, Instructions: 684COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074281 Relevance: .7, Instructions: 684COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075131 Relevance: .7, Instructions: 684COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075056 Relevance: .7, Instructions: 684COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307530B Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073B3B Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307434B Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074B6A Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073371 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074B95 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030753B7 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074BBE Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073BCF Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074BEC Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073206 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073A94 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073ACE Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075106 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307398E Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030749F9 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074022 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075763 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307376C Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03072FB3 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074FD6 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030757DB Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073687 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073EA2 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030756F0 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307450E Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073D26 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075590 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030745C2 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307340B Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074C17 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074413 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074C42 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073CA3 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073CF8 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030754F8 Relevance: .7, Instructions: 683COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075242 Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307416A Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030751CF Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030731CC Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030739E7 Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073016 Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073059 Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030740DF Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030750DD Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075738 Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03073797 Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 030737C0 Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307463F Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03074E47 Relevance: .7, Instructions: 682COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0307331B Relevance: .7, Instructions: 681COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03072F53 Relevance: .7, Instructions: 679COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03072F9E Relevance: .7, Instructions: 679COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03072F7B Relevance: .7, Instructions: 678COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075F60 Relevance: .3, Instructions: 279COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03075F51 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|