Edit tour
Windows
Analysis Report
NHEXQatKdE.exe
Overview
General Information
| Sample name: | NHEXQatKdE.exerenamed because original name is a hash value |
| Original sample name: | 1af7854a5ad5a97c01e2217cdf0f7656.exe |
| Analysis ID: | 1577899 |
| MD5: | 1af7854a5ad5a97c01e2217cdf0f7656 |
| SHA1: | fad9ae35e40778bbe36cff4f28a3e31a3fbc58c3 |
| SHA256: | 2b843617d9fef8997fa434d68a2338dfb3da3550ceefb638f5e683a4e666693a |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
NHEXQatKdE.exe (PID: 5716 cmdline: "C:\Users\ user\Deskt op\NHEXQat KdE.exe" MD5: 1AF7854A5AD5A97C01E2217CDF0F7656) 
conhost.exe (PID: 6464 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - NHEXQatKdE.exe (PID: 5576 cmdline:
"C:\Users\ user\Deskt op\NHEXQat KdE.exe" MD5: 1AF7854A5AD5A97C01E2217CDF0F7656) - NHEXQatKdE.exe (PID: 4156 cmdline:
"C:\Users\ user\Deskt op\NHEXQat KdE.exe" MD5: 1AF7854A5AD5A97C01E2217CDF0F7656)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["aspecteirs.lat", "sustainskelet.lat", "energyaffai.lat", "sweepyribs.lat", "crosshuaht.lat", "grannyejh.lat", "discokeyus.lat", "necklacebudi.lat", "rapeflowwj.lat"], "Build id": "yau6Na--7911731954"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:26.557736+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:32.441063+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:36.985675+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49739 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:55.215987+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49780 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:57.690905+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49787 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:04.817390+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49799 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:10.861677+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49811 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:19.992096+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49836 | 172.67.179.109 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:31.213368+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:35.354788+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:39.112966+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49836 | 172.67.179.109 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:31.213368+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:35.354788+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:26.557736+0100 | 2058365 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:32.441063+0100 | 2058365 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:36.985675+0100 | 2058365 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49739 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:55.215987+0100 | 2058365 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49780 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:57.690905+0100 | 2058365 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49787 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:04.817390+0100 | 2058365 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49799 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:10.861677+0100 | 2058365 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49811 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:19.992096+0100 | 2058365 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49836 | 172.67.179.109 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:25.007446+0100 | 2058364 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 64464 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:24.862868+0100 | 2058378 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 59438 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:56.052386+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49780 | 172.67.179.109 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_2_006E123B | |
| Source: | Code function: | 4_2_00415211 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_006EB12A | |
| Source: | Code function: | 0_2_006EB1DB | |
| Source: | Code function: | 3_2_006EB12A | |
| Source: | Code function: | 3_2_006EB1DB | |
| Source: | Code function: | 4_2_004259F0 | |
| Source: | Code function: | 4_2_00436980 | |
| Source: | Code function: | 4_2_0040A283 | |
| Source: | Code function: | 4_2_004183F0 | |
| Source: | Code function: | 4_2_0043D580 | |
| Source: | Code function: | 4_2_0043D580 | |
| Source: | Code function: | 4_2_0040CE98 | |
| Source: | Code function: | 4_2_0040CE98 | |
| Source: | Code function: | 4_2_0043D7B0 | |
| Source: | Code function: | 4_2_0043A030 | |
| Source: | Code function: | 4_2_00427E16 | |
| Source: | Code function: | 4_2_0043D8E0 | |
| Source: | Code function: | 4_2_00409080 | |
| Source: | Code function: | 4_2_00422966 | |
| Source: | Code function: | 4_2_0040C93E | |
| Source: | Code function: | 4_2_0040C93E | |
| Source: | Code function: | 4_2_0042D1C4 | |
| Source: | Code function: | 4_2_004059D0 | |
| Source: | Code function: | 4_2_004059D0 | |
| Source: | Code function: | 4_2_0042C199 | |
| Source: | Code function: | 4_2_0042A270 | |
| Source: | Code function: | 4_2_00415A0E | |
| Source: | Code function: | 4_2_00427223 | |
| Source: | Code function: | 4_2_00422966 | |
| Source: | Code function: | 4_2_0043C2EE | |
| Source: | Code function: | 4_2_004192F0 | |
| Source: | Code function: | 4_2_00425287 | |
| Source: | Code function: | 4_2_004222B1 | |
| Source: | Code function: | 4_2_0041AB1A | |
| Source: | Code function: | 4_2_00439BF0 | |
| Source: | Code function: | 4_2_00417BFA | |
| Source: | Code function: | 4_2_00417BFA | |
| Source: | Code function: | 4_2_00437BA9 | |
| Source: | Code function: | 4_2_0041FC50 | |
| Source: | Code function: | 4_2_0041FC50 | |
| Source: | Code function: | 4_2_0041D400 | |
| Source: | Code function: | 4_2_00437420 | |
| Source: | Code function: | 4_2_00437420 | |
| Source: | Code function: | 4_2_00437420 | |
| Source: | Code function: | 4_2_00437420 | |
| Source: | Code function: | 4_2_004214C0 | |
| Source: | Code function: | 4_2_004094D0 | |
| Source: | Code function: | 4_2_00429CD0 | |
| Source: | Code function: | 4_2_00421CAB | |
| Source: | Code function: | 4_2_00421CAB | |
| Source: | Code function: | 4_2_00407550 | |
| Source: | Code function: | 4_2_00407550 | |
| Source: | Code function: | 4_2_0041655D | |
| Source: | Code function: | 4_2_0041655D | |
| Source: | Code function: | 4_2_0041655D | |
| Source: | Code function: | 4_2_0041ADE9 | |
| Source: | Code function: | 4_2_0040DDFA | |
| Source: | Code function: | 4_2_00426D93 | |
| Source: | Code function: | 4_2_00425E40 | |
| Source: | Code function: | 4_2_00425E40 | |
| Source: | Code function: | 4_2_00425E40 | |
| Source: | Code function: | 4_2_00424E40 | |
| Source: | Code function: | 4_2_00416E70 | |
| Source: | Code function: | 4_2_00427E16 | |
| Source: | Code function: | 4_2_0040AE20 | |
| Source: | Code function: | 4_2_0040AE20 | |
| Source: | Code function: | 4_2_0042B6E1 | |
| Source: | Code function: | 4_2_0042B738 | |
| Source: | Code function: | 4_2_004277A1 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 4_2_00431020 | |
| Source: | Code function: | 4_2_00431020 | |
| Source: | Code function: | 0_2_006E123B | |
| Source: | Code function: | 0_2_006E2445 | |
| Source: | Code function: | 0_2_006E1000 | |
| Source: | Code function: | 0_2_006E40E2 | |
| Source: | Code function: | 0_2_006EF0A0 | |
| Source: | Code function: | 0_2_006F3D1E | |
| Source: | Code function: | 0_2_006EDAB2 | |
| Source: | Code function: | 3_2_006E2445 | |
| Source: | Code function: | 3_2_006E1000 | |
| Source: | Code function: | 3_2_006E40E2 | |
| Source: | Code function: | 3_2_006EF0A0 | |
| Source: | Code function: | 3_2_006F3D1E | |
| Source: | Code function: | 3_2_006E123B | |
| Source: | Code function: | 3_2_006EDAB2 | |
| Source: | Code function: | 4_2_00420940 | |
| Source: | Code function: | 4_2_004259F0 | |
| Source: | Code function: | 4_2_00436980 | |
| Source: | Code function: | 4_2_00415211 | |
| Source: | Code function: | 4_2_0042BA22 | |
| Source: | Code function: | 4_2_0043E280 | |
| Source: | Code function: | 4_2_004104BE | |
| Source: | Code function: | 4_2_00439660 | |
| Source: | Code function: | 4_2_0040CE98 | |
| Source: | Code function: | 4_2_004366B0 | |
| Source: | Code function: | 4_2_0040D76F | |
| Source: | Code function: | 4_2_0042900A | |
| Source: | Code function: | 4_2_00408810 | |
| Source: | Code function: | 4_2_00411028 | |
| Source: | Code function: | 4_2_0043A030 | |
| Source: | Code function: | 4_2_0043C8DB | |
| Source: | Code function: | 4_2_00409080 | |
| Source: | Code function: | 4_2_0040A930 | |
| Source: | Code function: | 4_2_00436130 | |
| Source: | Code function: | 4_2_0040C93E | |
| Source: | Code function: | 4_2_0042D1C4 | |
| Source: | Code function: | 4_2_004059D0 | |
| Source: | Code function: | 4_2_0043C9F0 | |
| Source: | Code function: | 4_2_00437180 | |
| Source: | Code function: | 4_2_00403990 | |
| Source: | Code function: | 4_2_0042324C | |
| Source: | Code function: | 4_2_00426A52 | |
| Source: | Code function: | 4_2_00415A0E | |
| Source: | Code function: | 4_2_0041721A | |
| Source: | Code function: | 4_2_004062E0 | |
| Source: | Code function: | 4_2_004192F0 | |
| Source: | Code function: | 4_2_00425287 | |
| Source: | Code function: | 4_2_00428A95 | |
| Source: | Code function: | 4_2_0041CAB0 | |
| Source: | Code function: | 4_2_00404340 | |
| Source: | Code function: | 4_2_0041BB40 | |
| Source: | Code function: | 4_2_00435358 | |
| Source: | Code function: | 4_2_0042AB00 | |
| Source: | Code function: | 4_2_0043CB20 | |
| Source: | Code function: | 4_2_0042BA1D | |
| Source: | Code function: | 4_2_00411B30 | |
| Source: | Code function: | 4_2_004233CA | |
| Source: | Code function: | 4_2_0042CBE3 | |
| Source: | Code function: | 4_2_00439BF0 | |
| Source: | Code function: | 4_2_00417BFA | |
| Source: | Code function: | 4_2_00437BA9 | |
| Source: | Code function: | 4_2_00402BB0 | |
| Source: | Code function: | 4_2_0043CBB0 | |
| Source: | Code function: | 4_2_0041FC50 | |
| Source: | Code function: | 4_2_00404C70 | |
| Source: | Code function: | 4_2_0041D400 | |
| Source: | Code function: | 4_2_00437420 | |
| Source: | Code function: | 4_2_00430C20 | |
| Source: | Code function: | 4_2_0041A430 | |
| Source: | Code function: | 4_2_004214C0 | |
| Source: | Code function: | 4_2_004094D0 | |
| Source: | Code function: | 4_2_00414CF0 | |
| Source: | Code function: | 4_2_00421CAB | |
| Source: | Code function: | 4_2_00407550 | |
| Source: | Code function: | 4_2_0042F550 | |
| Source: | Code function: | 4_2_0041655D | |
| Source: | Code function: | 4_2_0041E520 | |
| Source: | Code function: | 4_2_0043DD20 | |
| Source: | Code function: | 4_2_0041CD90 | |
| Source: | Code function: | 4_2_00426D93 | |
| Source: | Code function: | 4_2_00416DA5 | |
| Source: | Code function: | 4_2_00425E40 | |
| Source: | Code function: | 4_2_00424E40 | |
| Source: | Code function: | 4_2_0040AE20 | |
| Source: | Code function: | 4_2_00423620 | |
| Source: | Code function: | 4_2_00435ED0 | |
| Source: | Code function: | 4_2_0042AE96 | |
| Source: | Code function: | 4_2_00417758 | |
| Source: | Code function: | 4_2_00402F60 | |
| Source: | Code function: | 4_2_00406770 | |
| Source: | Code function: | 4_2_0042577B | |
| Source: | Code function: | 4_2_00405F20 | |
| Source: | Code function: | 4_2_0042B738 | |
| Source: | Code function: | 4_2_00423790 | |
| Source: | Code function: | 4_2_0043DFA0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 4_2_00436980 | |
| Source: | Mutant created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_006EBC8B | |
| Source: | Code function: | 3_2_006EBC8B | |
| Source: | Code function: | 4_2_0043C833 | |
| Source: | Code function: | 4_2_004438E9 | |
| Source: | Code function: | 4_2_00443341 | |
| Source: | Code function: | 4_2_00443335 | |
| Source: | Code function: | 4_2_00443339 | |
| Source: | Code function: | 4_2_004424ED | |
| Source: | Code function: | 4_2_0044560D | |
| Source: | Code function: | 4_2_00445677 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_006EB12A | |
| Source: | Code function: | 0_2_006EB1DB | |
| Source: | Code function: | 3_2_006EB12A | |
| Source: | Code function: | 3_2_006EB1DB | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_0043B1C0 | |
| Source: | Code function: | 0_2_006E2237 | |
| Source: | Code function: | 0_2_006E15C1 | |
| Source: | Code function: | 0_2_006FC19E | |
| Source: | Code function: | 3_2_006E15C1 | |
| Source: | Code function: | 0_2_006E723D | |
| Source: | Code function: | 0_2_006E222B | |
| Source: | Code function: | 0_2_006E2237 | |
| Source: | Code function: | 0_2_006E631A | |
| Source: | Code function: | 0_2_006E1BFF | |
| Source: | Code function: | 3_2_006E222B | |
| Source: | Code function: | 3_2_006E2237 | |
| Source: | Code function: | 3_2_006E631A | |
| Source: | Code function: | 3_2_006E1BFF | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_006FC19E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_006E2113 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 141 Security Software Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 23 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Packed.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| grannyejh.lat | 172.67.179.109 | true | false | high | |
| sweepyribs.lat | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.179.109 | grannyejh.lat | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1577899 |
| Start date and time: | 2024-12-18 21:21:27 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 26s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | NHEXQatKdE.exerenamed because original name is a hash value |
| Original Sample Name: | 1af7854a5ad5a97c01e2217cdf0f7656.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/0@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
- Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target NHEXQatKdE.exe, PID 5576 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: NHEXQatKdE.exe
| Time | Type | Description |
|---|---|---|
| 15:22:23 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.179.109 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse | |||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT | Browse | |||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc | Browse | |||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc | Browse | |||
| Get hash | malicious | LummaC, Stealc | Browse | |||
| Get hash | malicious | LummaC, Stealc | Browse | |||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, Vidar | Browse | |||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig | Browse | |||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| grannyejh.lat | Get hash | malicious | LummaC, Stealc | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, Vidar | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC, Stealc | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC, Stealc | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.906638959287093 |
| TrID: |
|
| File name: | NHEXQatKdE.exe |
| File size: | 723'584 bytes |
| MD5: | 1af7854a5ad5a97c01e2217cdf0f7656 |
| SHA1: | fad9ae35e40778bbe36cff4f28a3e31a3fbc58c3 |
| SHA256: | 2b843617d9fef8997fa434d68a2338dfb3da3550ceefb638f5e683a4e666693a |
| SHA512: | 73e207fe18eb79543b960a5bd3fe1994220bd0ec2efce9f3c484a57ecd4988feaecc35df3163cb3d6f4aad42f9831d3fb82907d75f704ad51a72d232199d2d81 |
| SSDEEP: | 12288:0ZOOIkzlNMs6FQNN2Z88zQyHHmSPlFaHx6FQNN2Z88zQyHHmSPlFaHClr7v:NOIkTMbFQNNqQyHHmmlFaHMFQNNqQyHX |
| TLSH: | 65F4120AB5D280F1D8F21E3519B0CAA198BDD2346F508FEF33D809669FB47D1123D96A |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....zag.........."......4..........n.............@..........................@............@.....................................P.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x401e6e |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67617A10 [Tue Dec 17 13:18:08 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 21f765297fa9653ef21199b37f81eeb8 |
| Signature Valid: | false |
| Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | AD1BCBF19AE2F91BB114D33B85359E56 |
| Thumbprint SHA-1: | 141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128 |
| Thumbprint SHA-256: | A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48 |
| Serial: | 00D0461B529F67189D43744E9CEFE172AE |
| Instruction |
|---|
| call 00007F5F0526994Ah |
| jmp 00007F5F05269569h |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007F5F052696FFh |
| neg eax |
| pop ecx |
| sbb eax, eax |
| neg eax |
| dec eax |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [0041D2A0h], FFFFFFFFh |
| push dword ptr [ebp+08h] |
| jne 00007F5F052696F9h |
| call 00007F5F0526D54Dh |
| jmp 00007F5F052696FDh |
| push 0041D2A0h |
| call 00007F5F0526D4D0h |
| pop ecx |
| pop ecx |
| xor ecx, ecx |
| test eax, eax |
| cmove ecx, dword ptr [ebp+08h] |
| mov eax, ecx |
| pop ebp |
| ret |
| push 00000008h |
| push 0041B430h |
| call 00007F5F05269C2Eh |
| and dword ptr [ebp-04h], 00000000h |
| mov eax, 00005A4Dh |
| cmp word ptr [00400000h], ax |
| jne 00007F5F0526974Fh |
| mov eax, dword ptr [0040003Ch] |
| cmp dword ptr [eax+00400000h], 00004550h |
| jne 00007F5F0526973Eh |
| mov ecx, 0000010Bh |
| cmp word ptr [eax+00400018h], cx |
| jne 00007F5F05269730h |
| mov eax, dword ptr [ebp+08h] |
| mov ecx, 00400000h |
| sub eax, ecx |
| push eax |
| push ecx |
| call 00007F5F05269872h |
| pop ecx |
| pop ecx |
| test eax, eax |
| je 00007F5F05269719h |
| cmp dword ptr [eax+24h], 00000000h |
| jl 00007F5F05269713h |
| mov dword ptr [ebp-04h], FFFFFFFEh |
| mov al, 01h |
| jmp 00007F5F05269711h |
| mov eax, dword ptr [ebp-14h] |
| mov eax, dword ptr [eax] |
| xor ecx, ecx |
| cmp dword ptr [eax], C0000005h |
| sete cl |
| mov eax, ecx |
| ret |
| mov esp, dword ptr [ebp-18h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1aaf0 | 0x50 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1f000 | 0xe8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0xadc00 | 0x2e80 | .bss |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x20000 | 0x1104 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x15170 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1ac70 | 0x130 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x13347 | 0x13400 | 6d89a97965264aa303718e1047ceed5a | False | 0.6077643060064936 | data | 6.652018864290896 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x15000 | 0x69d4 | 0x6a00 | 7975814b27f5305afaa4ae2451474f40 | False | 0.47162441037735847 | data | 5.167894945532914 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x1c000 | 0x19b8 | 0x1000 | 21ca70d79da8e11896608cf64484f9d4 | False | 0.466796875 | data | 4.806314076439111 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ext | 0x1e000 | 0x53 | 0x200 | 1397a12727ddad9d37e4ee639b13e495 | False | 0.173828125 | data | 1.4093403317208462 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x1f000 | 0xe8 | 0x200 | e4b2b3496c80cd736aa5918f624610b3 | False | 0.306640625 | data | 2.337865625306241 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x20000 | 0x1104 | 0x1200 | 73926e461be0cdaa888155118c22b90f | False | 0.7777777777777778 | data | 6.401085059562283 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .bss | 0x22000 | 0x48800 | 0x48800 | 183b1708cdcba3739315eeab36f60a86 | False | 1.0003401131465517 | data | 7.999335620946436 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x6b000 | 0x48800 | 0x48800 | 183b1708cdcba3739315eeab36f60a86 | False | 1.0003401131465517 | data | 7.999335620946436 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x1f060 | 0x87 | XML 1.0 document, ASCII text | English | United States | 0.8222222222222222 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | CryptContextAddRef |
| GDI32.dll | CloseFigure |
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T21:22:24.862868+0100 | 2058378 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) | 1 | 192.168.2.6 | 59438 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T21:22:25.007446+0100 | 2058364 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) | 1 | 192.168.2.6 | 64464 | 1.1.1.1 | 53 | UDP |
| 2024-12-18T21:22:26.557736+0100 | 2058365 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) | 1 | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:26.557736+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:31.213368+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:31.213368+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:32.441063+0100 | 2058365 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) | 1 | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:32.441063+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:35.354788+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:35.354788+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:36.985675+0100 | 2058365 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) | 1 | 192.168.2.6 | 49739 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:36.985675+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49739 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:55.215987+0100 | 2058365 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) | 1 | 192.168.2.6 | 49780 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:55.215987+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49780 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:56.052386+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49780 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:57.690905+0100 | 2058365 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) | 1 | 192.168.2.6 | 49787 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:22:57.690905+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49787 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:04.817390+0100 | 2058365 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) | 1 | 192.168.2.6 | 49799 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:04.817390+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49799 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:10.861677+0100 | 2058365 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) | 1 | 192.168.2.6 | 49811 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:10.861677+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49811 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:19.992096+0100 | 2058365 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (grannyejh .lat in TLS SNI) | 1 | 192.168.2.6 | 49836 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:19.992096+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49836 | 172.67.179.109 | 443 | TCP |
| 2024-12-18T21:23:39.112966+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49836 | 172.67.179.109 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 21:22:25.324431896 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:25.324503899 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:25.324580908 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:25.328042030 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:25.328075886 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:26.557643890 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:26.557735920 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:26.560636044 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:26.560651064 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:26.560931921 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:26.611496925 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:26.622318983 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:26.622356892 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:26.622483015 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:31.213377953 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:31.213470936 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:31.213558912 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:31.215415001 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:31.215454102 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:31.215482950 CET | 49714 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:31.215497971 CET | 443 | 49714 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:31.223381042 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:31.223437071 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:31.223515987 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:31.223861933 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:31.223880053 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:32.440984011 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:32.441062927 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:32.442406893 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:32.442420006 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:32.442667007 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:32.443924904 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:32.443948984 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:32.443991899 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.354789019 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.355307102 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.355412006 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.355462074 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.356312990 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.356374979 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.356395960 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.363213062 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.363262892 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.363275051 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.371678114 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.371747971 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.371761084 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.424062014 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.424104929 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.470942974 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.474781990 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.517800093 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.517831087 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.550199032 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.550251961 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.550278902 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.550508976 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.550559044 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.550801992 CET | 49726 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.550822973 CET | 443 | 49726 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.753108978 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.753165007 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:35.753251076 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.753552914 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:35.753568888 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:36.985594988 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:36.985675097 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:37.057396889 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:37.057435989 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:37.058470964 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:37.059691906 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:37.059853077 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:37.059919119 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:53.879472017 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:53.879554033 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:53.879612923 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:53.879745960 CET | 49739 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:53.879770041 CET | 443 | 49739 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:53.996193886 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:53.996225119 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:53.996320963 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:53.996818066 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:53.996831894 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:55.215867996 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:55.215986967 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:55.222851038 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:55.222873926 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:55.223352909 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:55.233506918 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:55.233679056 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:55.233764887 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:55.233860970 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:55.275337934 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:56.052469015 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:56.052740097 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:56.052745104 CET | 443 | 49780 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:56.052791119 CET | 49780 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:56.288475037 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:56.288518906 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:56.288687944 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:56.289089918 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:56.289108992 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:57.690820932 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:57.690905094 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:57.789283037 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:57.789318085 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:57.789714098 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:57.811227083 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:57.811419010 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:57.811448097 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:22:57.811516047 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:22:57.811527967 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:01.972850084 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:01.972953081 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:01.973014116 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:01.973104000 CET | 49787 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:01.973123074 CET | 443 | 49787 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:02.973316908 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:02.973368883 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:02.973445892 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:02.973867893 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:02.973891020 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:04.817240000 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:04.817389965 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:04.818952084 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:04.818964005 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:04.819224119 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:04.820686102 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:04.820862055 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:04.820871115 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:08.967911005 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:08.968040943 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:08.968121052 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:08.968218088 CET | 49799 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:08.968257904 CET | 443 | 49799 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:09.361861944 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:09.361921072 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:09.361998081 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:09.362303019 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:09.362318039 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.861577034 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.861676931 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.866305113 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.866328001 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.866709948 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.904160976 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.905076981 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.905128002 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.905935049 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.905983925 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.907411098 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.907696962 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.907820940 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.907854080 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.908139944 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.908169985 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.909255981 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.909293890 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.909307957 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.909324884 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.909432888 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.909451008 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.909471035 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.909607887 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.909636974 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.955333948 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.955516100 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.955553055 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.955571890 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.955594063 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.955616951 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.955627918 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:10.955635071 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:10.955638885 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:18.654778004 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:18.654877901 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:18.655066967 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:18.655760050 CET | 49811 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:18.655785084 CET | 443 | 49811 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:18.775222063 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:18.775262117 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:18.775481939 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:18.775980949 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:18.775993109 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:19.992010117 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:19.992095947 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:19.993546009 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:19.993561029 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:19.993803978 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:19.995070934 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:19.995100975 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:19.995134115 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:39.113095045 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:39.113348007 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:39.113435984 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:39.113518953 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:39.113564014 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Dec 18, 2024 21:23:39.113596916 CET | 49836 | 443 | 192.168.2.6 | 172.67.179.109 |
| Dec 18, 2024 21:23:39.113612890 CET | 443 | 49836 | 172.67.179.109 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 21:22:24.862868071 CET | 59438 | 53 | 192.168.2.6 | 1.1.1.1 |
| Dec 18, 2024 21:22:25.002140045 CET | 53 | 59438 | 1.1.1.1 | 192.168.2.6 |
| Dec 18, 2024 21:22:25.007446051 CET | 64464 | 53 | 192.168.2.6 | 1.1.1.1 |
| Dec 18, 2024 21:22:25.318392992 CET | 53 | 64464 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 21:22:24.862868071 CET | 192.168.2.6 | 1.1.1.1 | 0x2a3b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 21:22:25.007446051 CET | 192.168.2.6 | 1.1.1.1 | 0x6a63 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 21:22:25.002140045 CET | 1.1.1.1 | 192.168.2.6 | 0x2a3b | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 21:22:25.318392992 CET | 1.1.1.1 | 192.168.2.6 | 0x6a63 | No error (0) | 172.67.179.109 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 21:22:25.318392992 CET | 1.1.1.1 | 192.168.2.6 | 0x6a63 | No error (0) | 104.21.64.80 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49714 | 172.67.179.109 | 443 | 4156 | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 20:22:26 UTC | 260 | OUT | |
| 2024-12-18 20:22:26 UTC | 8 | OUT | |
| 2024-12-18 20:22:31 UTC | 1023 | IN | |
| 2024-12-18 20:22:31 UTC | 7 | IN | |
| 2024-12-18 20:22:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49726 | 172.67.179.109 | 443 | 4156 | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 20:22:32 UTC | 261 | OUT | |
| 2024-12-18 20:22:32 UTC | 52 | OUT | |
| 2024-12-18 20:22:35 UTC | 1027 | IN | |
| 2024-12-18 20:22:35 UTC | 342 | IN | |
| 2024-12-18 20:22:35 UTC | 907 | IN | |
| 2024-12-18 20:22:35 UTC | 1369 | IN | |
| 2024-12-18 20:22:35 UTC | 1369 | IN | |
| 2024-12-18 20:22:35 UTC | 1369 | IN | |
| 2024-12-18 20:22:35 UTC | 1369 | IN | |
| 2024-12-18 20:22:35 UTC | 1369 | IN | |
| 2024-12-18 20:22:35 UTC | 1369 | IN | |
| 2024-12-18 20:22:35 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49739 | 172.67.179.109 | 443 | 4156 | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 20:22:37 UTC | 276 | OUT | |
| 2024-12-18 20:22:37 UTC | 12846 | OUT | |
| 2024-12-18 20:22:53 UTC | 1036 | IN | |
| 2024-12-18 20:22:53 UTC | 20 | IN | |
| 2024-12-18 20:22:53 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49780 | 172.67.179.109 | 443 | 4156 | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 20:22:55 UTC | 274 | OUT | |
| 2024-12-18 20:22:55 UTC | 15080 | OUT | |
| 2024-12-18 20:22:56 UTC | 1029 | IN | |
| 2024-12-18 20:22:56 UTC | 20 | IN | |
| 2024-12-18 20:22:56 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49787 | 172.67.179.109 | 443 | 4156 | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 20:22:57 UTC | 269 | OUT | |
| 2024-12-18 20:22:57 UTC | 15331 | OUT | |
| 2024-12-18 20:22:57 UTC | 4577 | OUT | |
| 2024-12-18 20:23:01 UTC | 1035 | IN | |
| 2024-12-18 20:23:01 UTC | 20 | IN | |
| 2024-12-18 20:23:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49799 | 172.67.179.109 | 443 | 4156 | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 20:23:04 UTC | 271 | OUT | |
| 2024-12-18 20:23:04 UTC | 1187 | OUT | |
| 2024-12-18 20:23:08 UTC | 1032 | IN | |
| 2024-12-18 20:23:08 UTC | 20 | IN | |
| 2024-12-18 20:23:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49811 | 172.67.179.109 | 443 | 4156 | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 20:23:10 UTC | 274 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:10 UTC | 15331 | OUT | |
| 2024-12-18 20:23:18 UTC | 1038 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49836 | 172.67.179.109 | 443 | 4156 | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 20:23:19 UTC | 261 | OUT | |
| 2024-12-18 20:23:19 UTC | 87 | OUT | |
| 2024-12-18 20:23:39 UTC | 1028 | IN | |
| 2024-12-18 20:23:39 UTC | 54 | IN | |
| 2024-12-18 20:23:39 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 15:22:18 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6e0000 |
| File size: | 723'584 bytes |
| MD5 hash: | 1AF7854A5AD5A97C01E2217CDF0F7656 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 15:22:18 |
| Start date: | 18/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66e660000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 15:22:23 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x6e0000 |
| File size: | 723'584 bytes |
| MD5 hash: | 1AF7854A5AD5A97C01E2217CDF0F7656 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 15:22:23 |
| Start date: | 18/12/2024 |
| Path: | C:\Users\user\Desktop\NHEXQatKdE.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6e0000 |
| File size: | 723'584 bytes |
| MD5 hash: | 1AF7854A5AD5A97C01E2217CDF0F7656 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 6.1% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 7.8% |
| Total number of Nodes: | 1706 |
| Total number of Limit Nodes: | 20 |
Graph
Function 006FC19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E15C1 Relevance: 7.7, APIs: 5, Instructions: 171fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E123B Relevance: 3.2, APIs: 2, Instructions: 194COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E6FE5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E1930 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E79C3 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E1511 Relevance: 3.1, APIs: 2, Instructions: 62memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E8352 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E8CFD Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EF0A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EB1DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E2237 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E2113 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E2445 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EB12A Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E222B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E723D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E40E2 Relevance: .3, Instructions: 318COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E1000 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E96B2 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006F0376 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E54AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EC838 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EC5CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EAFB8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EBD88 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006F079A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006F0006 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EF0A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EB1DB Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E15C1 Relevance: 6.2, APIs: 4, Instructions: 171fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E2237 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006F2692 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E96B2 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E68A7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006E54AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EC838 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EC5CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006ECEFF Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006F009D Relevance: 6.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EAFB8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EB554 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006EBD88 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006F2950 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 8.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 35.2% |
| Total number of Nodes: | 372 |
| Total number of Limit Nodes: | 19 |
Graph
Function 00436980 Relevance: 40.9, APIs: 11, Strings: 12, Instructions: 655memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415211 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 450encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D580 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B1C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CE98 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D7B0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004259F0 Relevance: .4, Instructions: 377COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A283 Relevance: .2, Instructions: 228COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004183F0 Relevance: .2, Instructions: 177COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004087A0 Relevance: 7.5, APIs: 5, Instructions: 27threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043AEC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C726 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432187 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C8CA Relevance: 3.0, APIs: 2, Instructions: 40COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B5B5 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B162 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F31C Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FB82 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439632 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431020 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 106clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AE20 Relevance: 18.0, Strings: 14, Instructions: 485COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D400 Relevance: 17.1, Strings: 13, Instructions: 881COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425E40 Relevance: 16.9, Strings: 13, Instructions: 669COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421CAB Relevance: 15.9, Strings: 12, Instructions: 894COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424E40 Relevance: 12.8, Strings: 10, Instructions: 325COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417BFA Relevance: 10.6, Strings: 8, Instructions: 629COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415A0E Relevance: 9.5, Strings: 7, Instructions: 707COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C93E Relevance: 7.8, Strings: 6, Instructions: 300COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427E16 Relevance: 6.7, Strings: 5, Instructions: 497COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409080 Relevance: 5.4, Strings: 4, Instructions: 422COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004094D0 Relevance: 5.4, Strings: 4, Instructions: 387COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426D93 Relevance: 4.4, Strings: 3, Instructions: 694COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041FC50 Relevance: 4.2, Strings: 3, Instructions: 419COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B738 Relevance: 4.0, Strings: 3, Instructions: 222COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004214C0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437BA9 Relevance: 2.9, Strings: 2, Instructions: 435COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425287 Relevance: 2.9, Strings: 2, Instructions: 375COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B6E1 Relevance: 2.7, Strings: 2, Instructions: 220COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004222B1 Relevance: 2.6, Strings: 2, Instructions: 90COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041655D Relevance: 2.0, Strings: 1, Instructions: 762COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A030 Relevance: 1.9, Strings: 1, Instructions: 656COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A270 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416E70 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422966 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041ADE9 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D8E0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427223 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407550 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059D0 Relevance: .4, Instructions: 448COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437420 Relevance: .4, Instructions: 432COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439BF0 Relevance: .2, Instructions: 211COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DDFA Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C2EE Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AB1A Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004277A1 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429CD0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C199 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430528 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 161memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|