Edit tour
Windows
Analysis Report
Collapse.exe
Overview
General Information
| Sample name: | Collapse.exe |
| Analysis ID: | 1580146 |
| MD5: | 06bb4e80f74838278ce9467788cc6d94 |
| SHA1: | 5327b59b123d9e888ae42ef10fcf7fda094909e0 |
| SHA256: | 09852f87a7032ed63baf8f840d9bb379efb399e42bcdeedf9f4dff5b1b561c31 |
| Tags: | exeuser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Collapse.exe (PID: 6672 cmdline: "C:\Users\ user\Deskt op\Collaps e.exe" MD5: 06BB4E80F74838278CE9467788CC6D94) 
conhost.exe (PID: 3044 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Collapse.exe (PID: 3960 cmdline:
"C:\Users\ user\Deskt op\Collaps e.exe" MD5: 06BB4E80F74838278CE9467788CC6D94) - Collapse.exe (PID: 2756 cmdline:
"C:\Users\ user\Deskt op\Collaps e.exe" MD5: 06BB4E80F74838278CE9467788CC6D94) - Collapse.exe (PID: 6508 cmdline:
"C:\Users\ user\Deskt op\Collaps e.exe" MD5: 06BB4E80F74838278CE9467788CC6D94) - Collapse.exe (PID: 5924 cmdline:
"C:\Users\ user\Deskt op\Collaps e.exe" MD5: 06BB4E80F74838278CE9467788CC6D94)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["manyrestro.lat", "wordyfindy.lat", "observerfry.lat", "shapestickyr.lat", "talkynicer.lat", "curverpluch.lat", "tentabatte.lat", "slipperyloo.lat", "bashfulacid.lat"], "Build id": "BVnUqo--@distez"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T02:17:07.075896+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:09.058332+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49700 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:11.496122+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49701 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:14.075000+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49703 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:16.375867+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49709 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:19.765970+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49715 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:22.776587+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49726 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:26.959139+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49740 | 172.67.199.72 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T02:17:07.818283+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49699 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:09.821663+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:27.729027+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49740 | 172.67.199.72 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T02:17:07.818283+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49699 | 172.67.199.72 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T02:17:09.821663+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 172.67.199.72 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T02:17:12.704980+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49701 | 172.67.199.72 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 6_2_004164FD | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_009A0CF8 | |
| Source: | Code function: | 0_2_009A0DA9 | |
| Source: | Code function: | 3_2_009A0CF8 | |
| Source: | Code function: | 3_2_009A0DA9 | |
| Source: | Code function: | 6_2_00422870 | |
| Source: | Code function: | 6_2_00422870 | |
| Source: | Code function: | 6_2_00422870 | |
| Source: | Code function: | 6_2_0040B8A4 | |
| Source: | Code function: | 6_2_0043C210 | |
| Source: | Code function: | 6_2_0043C210 | |
| Source: | Code function: | 6_2_0042DCFD | |
| Source: | Code function: | 6_2_00438C90 | |
| Source: | Code function: | 6_2_004085D0 | |
| Source: | Code function: | 6_2_0040D643 | |
| Source: | Code function: | 6_2_0040D643 | |
| Source: | Code function: | 6_2_0040D643 | |
| Source: | Code function: | 6_2_0043E720 | |
| Source: | Code function: | 6_2_0041B84B | |
| Source: | Code function: | 6_2_0043F800 | |
| Source: | Code function: | 6_2_0041D810 | |
| Source: | Code function: | 6_2_00426837 | |
| Source: | Code function: | 6_2_0042C097 | |
| Source: | Code function: | 6_2_0042A8B0 | |
| Source: | Code function: | 6_2_0043F8B0 | |
| Source: | Code function: | 6_2_00409140 | |
| Source: | Code function: | 6_2_0043F940 | |
| Source: | Code function: | 6_2_0042D941 | |
| Source: | Code function: | 6_2_0042D14C | |
| Source: | Code function: | 6_2_00436150 | |
| Source: | Code function: | 6_2_004191D0 | |
| Source: | Code function: | 6_2_004191D0 | |
| Source: | Code function: | 6_2_0043C980 | |
| Source: | Code function: | 6_2_0043A1A9 | |
| Source: | Code function: | 6_2_00417A51 | |
| Source: | Code function: | 6_2_00417A51 | |
| Source: | Code function: | 6_2_00417A51 | |
| Source: | Code function: | 6_2_00421200 | |
| Source: | Code function: | 6_2_00421200 | |
| Source: | Code function: | 6_2_00417303 | |
| Source: | Code function: | 6_2_00417303 | |
| Source: | Code function: | 6_2_0042A320 | |
| Source: | Code function: | 6_2_0041B323 | |
| Source: | Code function: | 6_2_0041B323 | |
| Source: | Code function: | 6_2_004253E5 | |
| Source: | Code function: | 6_2_00402BA0 | |
| Source: | Code function: | 6_2_004073B0 | |
| Source: | Code function: | 6_2_004073B0 | |
| Source: | Code function: | 6_2_00424C22 | |
| Source: | Code function: | 6_2_0040E425 | |
| Source: | Code function: | 6_2_0042BC3F | |
| Source: | Code function: | 6_2_0042BC3F | |
| Source: | Code function: | 6_2_0042BCC8 | |
| Source: | Code function: | 6_2_0042BCC8 | |
| Source: | Code function: | 6_2_004274E8 | |
| Source: | Code function: | 6_2_0043C480 | |
| Source: | Code function: | 6_2_0041B4B9 | |
| Source: | Code function: | 6_2_0043F5C0 | |
| Source: | Code function: | 6_2_00413DA0 | |
| Source: | Code function: | 6_2_0040E65B | |
| Source: | Code function: | 6_2_004146D0 | |
| Source: | Code function: | 6_2_0043F6D0 | |
| Source: | Code function: | 6_2_004396F0 | |
| Source: | Code function: | 6_2_004396F0 | |
| Source: | Code function: | 6_2_004396F0 | |
| Source: | Code function: | 6_2_004406F0 | |
| Source: | Code function: | 6_2_004406F0 | |
| Source: | Code function: | 6_2_0043D71C | |
| Source: | Code function: | 6_2_0043F5C0 | |
| Source: | Code function: | 6_2_0043E7DE | |
| Source: | Code function: | 6_2_0043EFF1 | |
| Source: | Code function: | 6_2_0043EFF1 | |
| Source: | Code function: | 6_2_0042D7B7 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 6_2_00433510 | |
| Source: | Code function: | 6_2_00433510 | |
| Source: | Code function: | 0_2_0098E094 | |
| Source: | Code function: | 0_2_00981000 | |
| Source: | Code function: | 0_2_009A6102 | |
| Source: | Code function: | 0_2_00992AA1 | |
| Source: | Code function: | 0_2_009A43FF | |
| Source: | Code function: | 0_2_00998D90 | |
| Source: | Code function: | 0_2_00993EA0 | |
| Source: | Code function: | 3_2_0098E094 | |
| Source: | Code function: | 3_2_00981000 | |
| Source: | Code function: | 3_2_009A6102 | |
| Source: | Code function: | 3_2_00992AA1 | |
| Source: | Code function: | 3_2_009A43FF | |
| Source: | Code function: | 3_2_00998D90 | |
| Source: | Code function: | 3_2_00993EA0 | |
| Source: | Code function: | 6_2_0040A870 | |
| Source: | Code function: | 6_2_00422870 | |
| Source: | Code function: | 6_2_004118D0 | |
| Source: | Code function: | 6_2_004388E0 | |
| Source: | Code function: | 6_2_004089A0 | |
| Source: | Code function: | 6_2_004379A2 | |
| Source: | Code function: | 6_2_00426210 | |
| Source: | Code function: | 6_2_0043C210 | |
| Source: | Code function: | 6_2_00440AC0 | |
| Source: | Code function: | 6_2_004104E7 | |
| Source: | Code function: | 6_2_0042C4F6 | |
| Source: | Code function: | 6_2_00438C90 | |
| Source: | Code function: | 6_2_0040AD20 | |
| Source: | Code function: | 6_2_004085D0 | |
| Source: | Code function: | 6_2_0040D643 | |
| Source: | Code function: | 6_2_00441600 | |
| Source: | Code function: | 6_2_0043FF90 | |
| Source: | Code function: | 6_2_0041A800 | |
| Source: | Code function: | 6_2_0043F800 | |
| Source: | Code function: | 6_2_00441800 | |
| Source: | Code function: | 6_2_0041D810 | |
| Source: | Code function: | 6_2_00426837 | |
| Source: | Code function: | 6_2_004058E0 | |
| Source: | Code function: | 6_2_0041F0E6 | |
| Source: | Code function: | 6_2_004368AC | |
| Source: | Code function: | 6_2_0040F8B0 | |
| Source: | Code function: | 6_2_0043F8B0 | |
| Source: | Code function: | 6_2_00406140 | |
| Source: | Code function: | 6_2_00409140 | |
| Source: | Code function: | 6_2_0043F940 | |
| Source: | Code function: | 6_2_00403900 | |
| Source: | Code function: | 6_2_0042E904 | |
| Source: | Code function: | 6_2_00427134 | |
| Source: | Code function: | 6_2_004191D0 | |
| Source: | Code function: | 6_2_004381D0 | |
| Source: | Code function: | 6_2_004231E0 | |
| Source: | Code function: | 6_2_0043A1A9 | |
| Source: | Code function: | 6_2_0043CA40 | |
| Source: | Code function: | 6_2_00417A51 | |
| Source: | Code function: | 6_2_00408A70 | |
| Source: | Code function: | 6_2_00425AC9 | |
| Source: | Code function: | 6_2_004402D0 | |
| Source: | Code function: | 6_2_004042B0 | |
| Source: | Code function: | 6_2_0042235A | |
| Source: | Code function: | 6_2_00439370 | |
| Source: | Code function: | 6_2_00431320 | |
| Source: | Code function: | 6_2_00436B24 | |
| Source: | Code function: | 6_2_00404BE0 | |
| Source: | Code function: | 6_2_004253E5 | |
| Source: | Code function: | 6_2_004233FA | |
| Source: | Code function: | 6_2_00422390 | |
| Source: | Code function: | 6_2_004073B0 | |
| Source: | Code function: | 6_2_0042CBBB | |
| Source: | Code function: | 6_2_0043FC10 | |
| Source: | Code function: | 6_2_00427C2A | |
| Source: | Code function: | 6_2_00438430 | |
| Source: | Code function: | 6_2_0041A4C0 | |
| Source: | Code function: | 6_2_00436CED | |
| Source: | Code function: | 6_2_00421C8F | |
| Source: | Code function: | 6_2_0042C490 | |
| Source: | Code function: | 6_2_00415CA0 | |
| Source: | Code function: | 6_2_00437CB8 | |
| Source: | Code function: | 6_2_0042CD4B | |
| Source: | Code function: | 6_2_0042FD53 | |
| Source: | Code function: | 6_2_00428572 | |
| Source: | Code function: | 6_2_00421500 | |
| Source: | Code function: | 6_2_0042CD0A | |
| Source: | Code function: | 6_2_0041D520 | |
| Source: | Code function: | 6_2_00428D20 | |
| Source: | Code function: | 6_2_0043F5C0 | |
| Source: | Code function: | 6_2_004065D0 | |
| Source: | Code function: | 6_2_00424DF0 | |
| Source: | Code function: | 6_2_0041CD80 | |
| Source: | Code function: | 6_2_00405DA0 | |
| Source: | Code function: | 6_2_004095A0 | |
| Source: | Code function: | 6_2_00413DA0 | |
| Source: | Code function: | 6_2_00410E59 | |
| Source: | Code function: | 6_2_0041BE60 | |
| Source: | Code function: | 6_2_00414E0D | |
| Source: | Code function: | 6_2_00430E2C | |
| Source: | Code function: | 6_2_004146D0 | |
| Source: | Code function: | 6_2_0043F6D0 | |
| Source: | Code function: | 6_2_004226DC | |
| Source: | Code function: | 6_2_00402EE0 | |
| Source: | Code function: | 6_2_00408EF0 | |
| Source: | Code function: | 6_2_004396F0 | |
| Source: | Code function: | 6_2_004406F0 | |
| Source: | Code function: | 6_2_00425740 | |
| Source: | Code function: | 6_2_0041671A | |
| Source: | Code function: | 6_2_0043D71C | |
| Source: | Code function: | 6_2_00422F30 | |
| Source: | Code function: | 6_2_0043F5C0 | |
| Source: | Code function: | 6_2_0043EFF1 | |
| Source: | Code function: | 6_2_00439FF0 | |
| Source: | Code function: | 6_2_00428D20 | |
| Source: | Code function: | 6_2_004157B0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 6_2_00438C90 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0098E76D | |
| Source: | Code function: | 3_2_0098E76D | |
| Source: | Code function: | 6_2_00446871 | |
| Source: | Code function: | 6_2_00433AFF | |
| Source: | Code function: | 6_2_0043F535 | |
| Source: | Code function: | 6_2_0043C5DE | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_009A0CF8 | |
| Source: | Code function: | 0_2_009A0DA9 | |
| Source: | Code function: | 3_2_009A0CF8 | |
| Source: | Code function: | 3_2_009A0DA9 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 6_2_0043E0F0 | |
| Source: | Code function: | 0_2_009972FD | |
| Source: | Code function: | 0_2_009B619E | |
| Source: | Code function: | 0_2_00981690 | |
| Source: | Code function: | 3_2_00981690 | |
| Source: | Code function: | 0_2_0099C705 | |
| Source: | Code function: | 0_2_0098E06C | |
| Source: | Code function: | 0_2_009972FD | |
| Source: | Code function: | 0_2_0098E42C | |
| Source: | Code function: | 0_2_0098E420 | |
| Source: | Code function: | 3_2_0098E06C | |
| Source: | Code function: | 3_2_009972FD | |
| Source: | Code function: | 3_2_0098E42C | |
| Source: | Code function: | 3_2_0098E420 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_009B619E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 6_2_00438430 | |
| Source: | Code function: | 0_2_009A08CD | |
| Source: | Code function: | 0_2_009A0062 | |
| Source: | Code function: | 0_2_009A02B3 | |
| Source: | Code function: | 0_2_0099BA4C | |
| Source: | Code function: | 0_2_009A034E | |
| Source: | Code function: | 0_2_009A05A1 | |
| Source: | Code function: | 0_2_009A06D5 | |
| Source: | Code function: | 0_2_009A0600 | |
| Source: | Code function: | 0_2_009A07C7 | |
| Source: | Code function: | 0_2_0099BFF0 | |
| Source: | Code function: | 0_2_009A0720 | |
| Source: | Code function: | 3_2_009A08CD | |
| Source: | Code function: | 3_2_009A0062 | |
| Source: | Code function: | 3_2_009A02B3 | |
| Source: | Code function: | 3_2_0099BA4C | |
| Source: | Code function: | 3_2_009A034E | |
| Source: | Code function: | 3_2_009A05A1 | |
| Source: | Code function: | 3_2_009A06D5 | |
| Source: | Code function: | 3_2_009A0600 | |
| Source: | Code function: | 3_2_009A07C7 | |
| Source: | Code function: | 3_2_0099BFF0 | |
| Source: | Code function: | 3_2_009A0720 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0098EB50 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 41 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 241 Security Software Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 43 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 37% | ReversingLabs | Win32.Trojan.Generic | ||
| 32% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| observerfry.lat | 172.67.199.72 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.199.72 | observerfry.lat | United States | 13335 | CLOUDFLARENETUS | false | |
| 147.45.47.81 | unknown | Russian Federation | 2895 | FREE-NET-ASFREEnetEU | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1580146 |
| Start date and time: | 2024-12-24 02:16:08 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 33s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 18 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Collapse.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@10/1@1/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Collapse.exe, PID 3960 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 20:17:07 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.199.72 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC, Stealc | Browse | |||
| Get hash | malicious | LummaC, Stealc | Browse | |||
| Get hash | malicious | LummaC, Stealc | Browse | |||
| 147.45.47.81 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC, Xmrig | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | RedLine, Xmrig | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| observerfry.lat | Get hash | malicious | LummaC, Stealc | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Stealc | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Stealc | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| FREE-NET-ASFREEnetEU | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker, Cryptbot | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\Collapse.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 15 |
| Entropy (8bit): | 3.906890595608518 |
| Encrypted: | false |
| SSDEEP: | 3:SXhRi75n:SC5 |
| MD5: | 3A33AF4BC7DC9699EE324B91553C2B46 |
| SHA1: | 4CCE2BF1011CA006FAAB23506A349173ACC40434 |
| SHA-256: | 226D20C16ED4D8DDDFD00870E83E3B6EEDEDB86704A7BF43B5826B71D61500AE |
| SHA-512: | 960194C8B60C086520D1A76B94F52BA88AC2DDEC76A18B2D7ABF758FFFF138E9EDD23E62D4375A34072B42FBA51C6D186554B1AA71D60835EF1E18BEB8873B1D |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.6146050637831415 |
| TrID: |
|
| File name: | Collapse.exe |
| File size: | 540'160 bytes |
| MD5: | 06bb4e80f74838278ce9467788cc6d94 |
| SHA1: | 5327b59b123d9e888ae42ef10fcf7fda094909e0 |
| SHA256: | 09852f87a7032ed63baf8f840d9bb379efb399e42bcdeedf9f4dff5b1b561c31 |
| SHA512: | 59862d2365b05d74a308a0d5f5e4da865759ce409a89c55d71f0c396765a82d4be3cb18a8595adef6b3bfd1d261282dcbffb0b1bb57779691bb2712f160b34b9 |
| SSDEEP: | 12288:luB9du8NOZx84E5YoSSt9iLS1gYEtAarDRjAMJMq:u9du88Zx8VAZ2gLeMD9AMMq |
| TLSH: | 26B4E001B490C072C9672477A9B6DBAA453EF9304F22AADFA7880D79DB315D0E731B17 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...WZig..........".................R.............@.......................................@.................................dH..<.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x40ef52 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67695A57 [Mon Dec 23 12:40:55 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 5cc7e689f2864a0a9a8589c00efad8df |
| Instruction |
|---|
| call 00007FCBB95A2A9Ah |
| jmp 00007FCBB95A2909h |
| mov ecx, dword ptr [00436840h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007FCBB95A2A96h |
| test esi, ecx |
| jne 00007FCBB95A2AB8h |
| call 00007FCBB95A2AC1h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007FCBB95A2A99h |
| mov ecx, BB40E64Fh |
| jmp 00007FCBB95A2AA0h |
| test esi, ecx |
| jne 00007FCBB95A2A9Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [00436840h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [00436880h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [00434AC4h] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00434A78h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [00434A74h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [00434B0Ch] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 00437E18h |
| call dword ptr [00434AE4h] |
| ret |
| mov al, 01h |
| ret |
| push 00030000h |
| push 00010000h |
| push 00000000h |
| call 00007FCBB95AA27Bh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x34864 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3a000 | 0x1d70 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x30d08 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2d008 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x34a0c | 0x16c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2a52b | 0x2a600 | ca7697ad91eaacd837ed51179759a947 | False | 0.5367809734513275 | data | 6.539348053061756 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2c000 | 0x9d7c | 0x9e00 | 964f1e27d13bf05fbdae349f651c8112 | False | 0.4288221914556962 | data | 4.95389314063731 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x36000 | 0x25e4 | 0x1600 | f9cffcfbe2a982ed0d73caf2c5c26405 | False | 0.40678267045454547 | data | 4.770466622070642 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x39000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x3a000 | 0x1d70 | 0x1e00 | 050a442cf25b388dea29342e31853d9f | False | 0.7709635416666667 | data | 6.524650010128688 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .bss | 0x3c000 | 0x4be00 | 0x4be00 | c8b60e8961dfc7f92b470543f456303f | False | 1.0003249845551894 | data | 7.999427458882808 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| USER32.dll | DefWindowProcW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-24T02:17:07.075896+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49699 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:07.818283+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49699 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:07.818283+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49699 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:09.058332+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49700 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:09.821663+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.7 | 49700 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:09.821663+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49700 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:11.496122+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49701 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:12.704980+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.7 | 49701 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:14.075000+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49703 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:16.375867+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49709 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:19.765970+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49715 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:22.776587+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49726 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:26.959139+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49740 | 172.67.199.72 | 443 | TCP |
| 2024-12-24T02:17:27.729027+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49740 | 172.67.199.72 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 24, 2024 02:17:05.850352049 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:05.850383043 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:05.850482941 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:05.853123903 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:05.853135109 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.075817108 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.075896025 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.079808950 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.079816103 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.080205917 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.121357918 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.125785112 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.125814915 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.125888109 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.818303108 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.818468094 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.818530083 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.823543072 CET | 49699 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.823555946 CET | 443 | 49699 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.842907906 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.842946053 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:07.843017101 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.844068050 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:07.844084978 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.058255911 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.058331966 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.060502052 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.060514927 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.060846090 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.062455893 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.062642097 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.062669992 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.821671963 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.822376966 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.822434902 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.822463036 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.823328972 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.823368073 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.823393106 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.823402882 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.823452950 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.830017090 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.838251114 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.838296890 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.838303089 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.886970997 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.886981010 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.933840036 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.941121101 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:09.980722904 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:09.980741978 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:10.027621984 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:10.037928104 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:10.041798115 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:10.041848898 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:10.041856050 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:10.041898966 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:10.041948080 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:10.042046070 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:10.042056084 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:10.042066097 CET | 49700 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:10.042069912 CET | 443 | 49700 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:10.238320112 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:10.238348007 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:10.238428116 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:10.238734007 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:10.238749027 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:11.495961905 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:11.496121883 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:11.498552084 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:11.498563051 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:11.498909950 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:11.500360012 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:11.500509024 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:11.500556946 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:12.704988003 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:12.705086946 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:12.705147982 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:12.705333948 CET | 49701 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:12.705348969 CET | 443 | 49701 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:12.842178106 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:12.842226028 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:12.842298031 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:12.842628002 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:12.842644930 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:14.074904919 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:14.075000048 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:14.076756954 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:14.076766014 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:14.076999903 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:14.078394890 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:14.078528881 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:14.078562975 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:14.078613043 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:14.119343042 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:14.903111935 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:14.903227091 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:14.903289080 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:14.903480053 CET | 49703 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:14.903496981 CET | 443 | 49703 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:15.146105051 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:15.146152973 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:15.146229982 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:15.146506071 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:15.146533966 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:16.375699043 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:16.375866890 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:16.377037048 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:16.377052069 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:16.377285004 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:16.378542900 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:16.378684998 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:16.378720045 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:16.378783941 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:16.378794909 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:17.319123030 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:17.319283009 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:17.319365978 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:17.319514990 CET | 49709 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:17.319535971 CET | 443 | 49709 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:18.548345089 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:18.548388958 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:18.548459053 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:18.548784971 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:18.548805952 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:19.765840054 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:19.765969992 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:19.767384052 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:19.767401934 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:19.767916918 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:19.769227982 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:19.769340992 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:19.769352913 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:20.525319099 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:20.525574923 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:20.525671005 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:20.525970936 CET | 49715 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:20.526006937 CET | 443 | 49715 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:21.555505991 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:21.555556059 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:21.555630922 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:21.555999994 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:21.556015015 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.776475906 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.776587009 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.778357983 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.778367996 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.778774023 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.780507088 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.781496048 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.781537056 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.781652927 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.781694889 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.781847954 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.781883001 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.782027006 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.782056093 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.783001900 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.783032894 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.783227921 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.783258915 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.783283949 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.783471107 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.783502102 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.827343941 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.827625036 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.827671051 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.827682972 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.871332884 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.871515036 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.871567965 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.871593952 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.919336081 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:22.919426918 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:22.963360071 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:23.142807007 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:25.611607075 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:25.611875057 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:25.613419056 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:25.613521099 CET | 49726 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:25.613535881 CET | 443 | 49726 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:25.741550922 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:25.741563082 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:25.741683960 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:25.742041111 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:25.742067099 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:26.959064960 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:26.959139109 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:26.961189032 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:26.961206913 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:26.961543083 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:26.981883049 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:26.981919050 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:26.981992006 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:27.729018927 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:27.729159117 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:27.729286909 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:27.729393959 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:27.729444027 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:27.729474068 CET | 49740 | 443 | 192.168.2.7 | 172.67.199.72 |
| Dec 24, 2024 02:17:27.729490042 CET | 443 | 49740 | 172.67.199.72 | 192.168.2.7 |
| Dec 24, 2024 02:17:27.732490063 CET | 49742 | 80 | 192.168.2.7 | 147.45.47.81 |
| Dec 24, 2024 02:17:27.851955891 CET | 80 | 49742 | 147.45.47.81 | 192.168.2.7 |
| Dec 24, 2024 02:17:27.855142117 CET | 49742 | 80 | 192.168.2.7 | 147.45.47.81 |
| Dec 24, 2024 02:17:27.855328083 CET | 49742 | 80 | 192.168.2.7 | 147.45.47.81 |
| Dec 24, 2024 02:17:27.974816084 CET | 80 | 49742 | 147.45.47.81 | 192.168.2.7 |
| Dec 24, 2024 02:17:49.743653059 CET | 80 | 49742 | 147.45.47.81 | 192.168.2.7 |
| Dec 24, 2024 02:17:49.743782997 CET | 49742 | 80 | 192.168.2.7 | 147.45.47.81 |
| Dec 24, 2024 02:17:49.743855953 CET | 49742 | 80 | 192.168.2.7 | 147.45.47.81 |
| Dec 24, 2024 02:17:49.864228010 CET | 80 | 49742 | 147.45.47.81 | 192.168.2.7 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 24, 2024 02:17:05.539305925 CET | 61874 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 24, 2024 02:17:05.845431089 CET | 53 | 61874 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 24, 2024 02:17:05.539305925 CET | 192.168.2.7 | 1.1.1.1 | 0x6bd6 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 24, 2024 02:17:05.845431089 CET | 1.1.1.1 | 192.168.2.7 | 0x6bd6 | No error (0) | 172.67.199.72 | A (IP address) | IN (0x0001) | false | ||
| Dec 24, 2024 02:17:05.845431089 CET | 1.1.1.1 | 192.168.2.7 | 0x6bd6 | No error (0) | 104.21.36.201 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49742 | 147.45.47.81 | 80 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 24, 2024 02:17:27.855328083 CET | 198 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49699 | 172.67.199.72 | 443 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 01:17:07 UTC | 262 | OUT | |
| 2024-12-24 01:17:07 UTC | 8 | OUT | |
| 2024-12-24 01:17:07 UTC | 1125 | IN | |
| 2024-12-24 01:17:07 UTC | 7 | IN | |
| 2024-12-24 01:17:07 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49700 | 172.67.199.72 | 443 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 01:17:09 UTC | 263 | OUT | |
| 2024-12-24 01:17:09 UTC | 49 | OUT | |
| 2024-12-24 01:17:09 UTC | 1129 | IN | |
| 2024-12-24 01:17:09 UTC | 240 | IN | |
| 2024-12-24 01:17:09 UTC | 896 | IN | |
| 2024-12-24 01:17:09 UTC | 1369 | IN | |
| 2024-12-24 01:17:09 UTC | 1369 | IN | |
| 2024-12-24 01:17:09 UTC | 1369 | IN | |
| 2024-12-24 01:17:09 UTC | 1369 | IN | |
| 2024-12-24 01:17:09 UTC | 1369 | IN | |
| 2024-12-24 01:17:09 UTC | 1369 | IN | |
| 2024-12-24 01:17:09 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49701 | 172.67.199.72 | 443 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 01:17:11 UTC | 278 | OUT | |
| 2024-12-24 01:17:11 UTC | 12828 | OUT | |
| 2024-12-24 01:17:12 UTC | 1130 | IN | |
| 2024-12-24 01:17:12 UTC | 20 | IN | |
| 2024-12-24 01:17:12 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49703 | 172.67.199.72 | 443 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 01:17:14 UTC | 279 | OUT | |
| 2024-12-24 01:17:14 UTC | 15066 | OUT | |
| 2024-12-24 01:17:14 UTC | 1136 | IN | |
| 2024-12-24 01:17:14 UTC | 20 | IN | |
| 2024-12-24 01:17:14 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 49709 | 172.67.199.72 | 443 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 01:17:16 UTC | 277 | OUT | |
| 2024-12-24 01:17:16 UTC | 15331 | OUT | |
| 2024-12-24 01:17:16 UTC | 5048 | OUT | |
| 2024-12-24 01:17:17 UTC | 1137 | IN | |
| 2024-12-24 01:17:17 UTC | 20 | IN | |
| 2024-12-24 01:17:17 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 49715 | 172.67.199.72 | 443 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 01:17:19 UTC | 270 | OUT | |
| 2024-12-24 01:17:19 UTC | 1162 | OUT | |
| 2024-12-24 01:17:20 UTC | 1124 | IN | |
| 2024-12-24 01:17:20 UTC | 20 | IN | |
| 2024-12-24 01:17:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 49726 | 172.67.199.72 | 443 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 01:17:22 UTC | 273 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:22 UTC | 15331 | OUT | |
| 2024-12-24 01:17:25 UTC | 1132 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.7 | 49740 | 172.67.199.72 | 443 | 5924 | C:\Users\user\Desktop\Collapse.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-24 01:17:26 UTC | 263 | OUT | |
| 2024-12-24 01:17:26 UTC | 84 | OUT | |
| 2024-12-24 01:17:27 UTC | 1119 | IN | |
| 2024-12-24 01:17:27 UTC | 126 | IN | |
| 2024-12-24 01:17:27 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 20:17:04 |
| Start date: | 23/12/2024 |
| Path: | C:\Users\user\Desktop\Collapse.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x980000 |
| File size: | 540'160 bytes |
| MD5 hash: | 06BB4E80F74838278CE9467788CC6D94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 20:17:04 |
| Start date: | 23/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff75da10000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 20:17:04 |
| Start date: | 23/12/2024 |
| Path: | C:\Users\user\Desktop\Collapse.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x980000 |
| File size: | 540'160 bytes |
| MD5 hash: | 06BB4E80F74838278CE9467788CC6D94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 20:17:04 |
| Start date: | 23/12/2024 |
| Path: | C:\Users\user\Desktop\Collapse.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x980000 |
| File size: | 540'160 bytes |
| MD5 hash: | 06BB4E80F74838278CE9467788CC6D94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 20:17:04 |
| Start date: | 23/12/2024 |
| Path: | C:\Users\user\Desktop\Collapse.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x980000 |
| File size: | 540'160 bytes |
| MD5 hash: | 06BB4E80F74838278CE9467788CC6D94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 20:17:04 |
| Start date: | 23/12/2024 |
| Path: | C:\Users\user\Desktop\Collapse.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x980000 |
| File size: | 540'160 bytes |
| MD5 hash: | 06BB4E80F74838278CE9467788CC6D94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 10.1% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 1.3% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 32 |
Graph
Function 009B619E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099BD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00981860 Relevance: 9.2, APIs: 6, Instructions: 162fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00981700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099481D Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009949B3 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099C862 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00994935 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00981B70 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099AD27 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00981EA0 Relevance: 1.8, APIs: 1, Instructions: 289COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098CE13 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098B510 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099AD61 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A07C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00998D90 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A0DA9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098E42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A034E Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098E094 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A0CF8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00993EA0 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A0600 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00992AA1 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A0720 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A08CD Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098E420 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099C705 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00981000 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00981690 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099DC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098EB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A8A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099A3BC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00994A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099C516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098E8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A52C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A0B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00991652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A1F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00982A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098EFA7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099F766 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099A7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099A04C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A0062 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00998D90 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A0DA9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098E42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009AA1B2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099DC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098EB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A8A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00999AF4 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00994A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099C516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00981860 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098E8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0098C054 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A52C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A30BF Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0099A0E3 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A0B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00991652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009A1F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00982A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009AA470 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 10.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 34.8% |
| Total number of Nodes: | 356 |
| Total number of Limit Nodes: | 19 |
Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438C90 Relevance: 35.5, APIs: 11, Strings: 9, Instructions: 525memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004085D0 Relevance: 7.8, APIs: 5, Instructions: 312threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004164FD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E720 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E0F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B8A4 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C210 Relevance: .2, Instructions: 213COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C846 Relevance: 3.1, APIs: 2, Instructions: 133COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E060 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E1D2 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043041B Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432D4D Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C9FD Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C1E0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C1C0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D810 Relevance: 12.0, Strings: 9, Instructions: 788COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424C22 Relevance: 7.7, Strings: 6, Instructions: 152COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D71C Relevance: 5.3, Strings: 4, Instructions: 257COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438430 Relevance: 5.2, Strings: 4, Instructions: 175COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417A51 Relevance: 4.6, Strings: 3, Instructions: 815COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426837 Relevance: 3.1, Strings: 2, Instructions: 556COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A1A9 Relevance: 2.9, Strings: 2, Instructions: 441COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409140 Relevance: 2.9, Strings: 2, Instructions: 403COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421200 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BC3F Relevance: 2.7, Strings: 2, Instructions: 177COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413DA0 Relevance: 2.1, Strings: 1, Instructions: 846COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004146D0 Relevance: 1.7, Strings: 1, Instructions: 499COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A8B0 Relevance: 1.7, Strings: 1, Instructions: 411COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417303 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004253E5 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BCC8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E7DE Relevance: 1.3, Strings: 1, Instructions: 76COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B84B Relevance: 1.3, Strings: 1, Instructions: 57COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004073B0 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004396F0 Relevance: .6, Instructions: 612COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F5C0 Relevance: .6, Instructions: 563COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F6D0 Relevance: .5, Instructions: 456COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F800 Relevance: .4, Instructions: 387COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004406F0 Relevance: .4, Instructions: 359COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F8B0 Relevance: .3, Instructions: 349COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F940 Relevance: .3, Instructions: 348COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B4B9 Relevance: .2, Instructions: 212COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B323 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E425 Relevance: .1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EFF1 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E65B Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C480 Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D14C Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C980 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004274E8 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436150 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A320 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D941 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D7B7 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402BA0 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C097 Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043303D Relevance: 35.2, APIs: 1, Strings: 19, Instructions: 152memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432165 Relevance: 35.2, APIs: 1, Strings: 19, Instructions: 151memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|