Edit tour
Windows
Analysis Report
uUtgy7BbF1.exe
Overview
General Information
| Sample name: | uUtgy7BbF1.exerenamed because original name is a hash value |
| Original sample name: | 425be48f2d7cc72615c4cdfda5341832.exe |
| Analysis ID: | 1581192 |
| MD5: | 425be48f2d7cc72615c4cdfda5341832 |
| SHA1: | 093d262086312a5f86ec903ea321cfbe0d3bb4fe |
| SHA256: | 4c55b2bc8fb77aaaf71552039073386e76cce6ee45fee54d2c8fd84aba97d691 |
| Tags: | exeLummaStealeruser-abuse_ch |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
uUtgy7BbF1.exe (PID: 7484 cmdline: "C:\Users\ user\Deskt op\uUtgy7B bF1.exe" MD5: 425BE48F2D7CC72615C4CDFDA5341832) 
conhost.exe (PID: 7492 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - uUtgy7BbF1.exe (PID: 7580 cmdline:
"C:\Users\ user\Deskt op\uUtgy7B bF1.exe" MD5: 425BE48F2D7CC72615C4CDFDA5341832)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["curverpluch.lat", "shapestickyr.lat", "bashfulacid.lat", "slipperyloo.lat", "talkynicer.lat", "tentabatte.lat", "wordyfindy.lat", "manyrestro.lat", "volcanohushe.click"], "Build id": "pqZnKP--c3Rld3dz"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:06.163000+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:08.351844+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:10.869660+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.9 | 49719 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:13.916099+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.9 | 49725 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:16.622137+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.9 | 49731 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:19.857325+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.9 | 49742 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:22.743964+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.9 | 49750 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:26.672861+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.9 | 49758 | 104.21.71.155 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:06.908362+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:09.131944+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:27.536196+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.9 | 49758 | 104.21.71.155 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:06.908362+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:09.131944+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:06.163000+0100 | 2058535 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:08.351844+0100 | 2058535 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:10.869660+0100 | 2058535 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 49719 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:13.916099+0100 | 2058535 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 49725 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:16.622137+0100 | 2058535 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 49731 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:19.857325+0100 | 2058535 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 49742 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:22.743964+0100 | 2058535 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 49750 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:26.672861+0100 | 2058535 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 49758 | 104.21.71.155 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:04.525486+0100 | 2058534 | 1 | Domain Observed Used for C2 Detected | 192.168.2.9 | 55687 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:18.188581+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49731 | 104.21.71.155 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:22.750164+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.9 | 49750 | 104.21.71.155 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_2_00417745 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00690CF8 | |
| Source: | Code function: | 0_2_00690DA9 | |
| Source: | Code function: | 3_2_00690CF8 | |
| Source: | Code function: | 3_2_00690DA9 | |
| Source: | Code function: | 3_2_0042D0CD | |
| Source: | Code function: | 3_2_0040D11B | |
| Source: | Code function: | 3_2_0040D11B | |
| Source: | Code function: | 3_2_00409400 | |
| Source: | Code function: | 3_2_0043D4E1 | |
| Source: | Code function: | 3_2_00417745 | |
| Source: | Code function: | 3_2_00440770 | |
| Source: | Code function: | 3_2_004387D0 | |
| Source: | Code function: | 3_2_00429070 | |
| Source: | Code function: | 3_2_00429070 | |
| Source: | Code function: | 3_2_004058D0 | |
| Source: | Code function: | 3_2_004058D0 | |
| Source: | Code function: | 3_2_004158FC | |
| Source: | Code function: | 3_2_00416896 | |
| Source: | Code function: | 3_2_0042C89E | |
| Source: | Code function: | 3_2_0042B8BD | |
| Source: | Code function: | 3_2_0042B963 | |
| Source: | Code function: | 3_2_0040D907 | |
| Source: | Code function: | 3_2_00440180 | |
| Source: | Code function: | 3_2_0041598C | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_0041B9A0 | |
| Source: | Code function: | 3_2_0041B25A | |
| Source: | Code function: | 3_2_00417A75 | |
| Source: | Code function: | 3_2_00417207 | |
| Source: | Code function: | 3_2_0042B215 | |
| Source: | Code function: | 3_2_0043F286 | |
| Source: | Code function: | 3_2_004142A0 | |
| Source: | Code function: | 3_2_004142A0 | |
| Source: | Code function: | 3_2_004142A0 | |
| Source: | Code function: | 3_2_004142A0 | |
| Source: | Code function: | 3_2_00417AB8 | |
| Source: | Code function: | 3_2_0042BB60 | |
| Source: | Code function: | 3_2_0042BB66 | |
| Source: | Code function: | 3_2_00402B70 | |
| Source: | Code function: | 3_2_00421B00 | |
| Source: | Code function: | 3_2_00421B00 | |
| Source: | Code function: | 3_2_0043DB10 | |
| Source: | Code function: | 3_2_0043D325 | |
| Source: | Code function: | 3_2_004163C0 | |
| Source: | Code function: | 3_2_004163C0 | |
| Source: | Code function: | 3_2_004163C0 | |
| Source: | Code function: | 3_2_004393D0 | |
| Source: | Code function: | 3_2_004393D0 | |
| Source: | Code function: | 3_2_004073F0 | |
| Source: | Code function: | 3_2_004073F0 | |
| Source: | Code function: | 3_2_0041A3A0 | |
| Source: | Code function: | 3_2_0040B3BB | |
| Source: | Code function: | 3_2_0043E450 | |
| Source: | Code function: | 3_2_00440450 | |
| Source: | Code function: | 3_2_00426430 | |
| Source: | Code function: | 3_2_0040E49F | |
| Source: | Code function: | 3_2_0040C4AE | |
| Source: | Code function: | 3_2_0042856C | |
| Source: | Code function: | 3_2_00415506 | |
| Source: | Code function: | 3_2_00415506 | |
| Source: | Code function: | 3_2_00418DC5 | |
| Source: | Code function: | 3_2_0041D5B0 | |
| Source: | Code function: | 3_2_0041864E | |
| Source: | Code function: | 3_2_00428630 | |
| Source: | Code function: | 3_2_00426639 | |
| Source: | Code function: | 3_2_00426639 | |
| Source: | Code function: | 3_2_0042963E | |
| Source: | Code function: | 3_2_00417EEE | |
| Source: | Code function: | 3_2_00417EEE | |
| Source: | Code function: | 3_2_00429E80 | |
| Source: | Code function: | 3_2_00415E9A | |
| Source: | Code function: | 3_2_00415E9A | |
| Source: | Code function: | 3_2_00415E9A | |
| Source: | Code function: | 3_2_00415E9A | |
| Source: | Code function: | 3_2_00415E9A | |
| Source: | Code function: | 3_2_00415E9A | |
| Source: | Code function: | 3_2_0043CEA0 | |
| Source: | Code function: | 3_2_00409EB9 | |
| Source: | Code function: | 3_2_00418F52 | |
| Source: | Code function: | 3_2_00435F00 | |
| Source: | Code function: | 3_2_0042963E | |
| Source: | Code function: | 3_2_0040AF23 | |
| Source: | Code function: | 3_2_0043F730 | |
| Source: | Code function: | 3_2_004167E1 | |
| Source: | Code function: | 3_2_00424F80 | |
| Source: | Code function: | 3_2_004257AC | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_00433500 | |
| Source: | Code function: | 3_2_038A1000 | |
| Source: | Code function: | 3_2_00433500 | |
| Source: | Code function: | 0_2_00671000 | |
| Source: | Code function: | 0_2_0067E094 | |
| Source: | Code function: | 0_2_00696102 | |
| Source: | Code function: | 0_2_00682AA1 | |
| Source: | Code function: | 0_2_006943FF | |
| Source: | Code function: | 0_2_00688D90 | |
| Source: | Code function: | 0_2_00683EA0 | |
| Source: | Code function: | 3_2_004098CE | |
| Source: | Code function: | 3_2_004230D3 | |
| Source: | Code function: | 3_2_00426090 | |
| Source: | Code function: | 3_2_0042217D | |
| Source: | Code function: | 3_2_0040D11B | |
| Source: | Code function: | 3_2_0042C98C | |
| Source: | Code function: | 3_2_00411BC0 | |
| Source: | Code function: | 3_2_0043DBAC | |
| Source: | Code function: | 3_2_00409400 | |
| Source: | Code function: | 3_2_004384B0 | |
| Source: | Code function: | 3_2_0041052C | |
| Source: | Code function: | 3_2_0043FEF0 | |
| Source: | Code function: | 3_2_00440770 | |
| Source: | Code function: | 3_2_004387D0 | |
| Source: | Code function: | 3_2_00429070 | |
| Source: | Code function: | 3_2_00409000 | |
| Source: | Code function: | 3_2_00428000 | |
| Source: | Code function: | 3_2_0041C0C0 | |
| Source: | Code function: | 3_2_004058D0 | |
| Source: | Code function: | 3_2_004038D0 | |
| Source: | Code function: | 3_2_00423750 | |
| Source: | Code function: | 3_2_0043E8A7 | |
| Source: | Code function: | 3_2_0042A950 | |
| Source: | Code function: | 3_2_0041C920 | |
| Source: | Code function: | 3_2_004301D5 | |
| Source: | Code function: | 3_2_004239E0 | |
| Source: | Code function: | 3_2_004391E1 | |
| Source: | Code function: | 3_2_00408180 | |
| Source: | Code function: | 3_2_00406180 | |
| Source: | Code function: | 3_2_00440180 | |
| Source: | Code function: | 3_2_0041E990 | |
| Source: | Code function: | 3_2_0041A190 | |
| Source: | Code function: | 3_2_00419190 | |
| Source: | Code function: | 3_2_0041B9A0 | |
| Source: | Code function: | 3_2_00418241 | |
| Source: | Code function: | 3_2_0041FA74 | |
| Source: | Code function: | 3_2_00430A78 | |
| Source: | Code function: | 3_2_00417207 | |
| Source: | Code function: | 3_2_00433210 | |
| Source: | Code function: | 3_2_00428A31 | |
| Source: | Code function: | 3_2_00415A3C | |
| Source: | Code function: | 3_2_0042C2C1 | |
| Source: | Code function: | 3_2_00404280 | |
| Source: | Code function: | 3_2_004142A0 | |
| Source: | Code function: | 3_2_00417AB8 | |
| Source: | Code function: | 3_2_00423B40 | |
| Source: | Code function: | 3_2_0041D350 | |
| Source: | Code function: | 3_2_00421B00 | |
| Source: | Code function: | 3_2_0042D306 | |
| Source: | Code function: | 3_2_004163C0 | |
| Source: | Code function: | 3_2_004393D0 | |
| Source: | Code function: | 3_2_004383D0 | |
| Source: | Code function: | 3_2_004073F0 | |
| Source: | Code function: | 3_2_0042D3F1 | |
| Source: | Code function: | 3_2_00425380 | |
| Source: | Code function: | 3_2_0043F380 | |
| Source: | Code function: | 3_2_00422B84 | |
| Source: | Code function: | 3_2_0041CB90 | |
| Source: | Code function: | 3_2_0042D391 | |
| Source: | Code function: | 3_2_00422BA0 | |
| Source: | Code function: | 3_2_00404BB0 | |
| Source: | Code function: | 3_2_00440450 | |
| Source: | Code function: | 3_2_0042B46E | |
| Source: | Code function: | 3_2_00436C7D | |
| Source: | Code function: | 3_2_00426430 | |
| Source: | Code function: | 3_2_0042B435 | |
| Source: | Code function: | 3_2_00418CE1 | |
| Source: | Code function: | 3_2_00439C8E | |
| Source: | Code function: | 3_2_0043F490 | |
| Source: | Code function: | 3_2_0040CC99 | |
| Source: | Code function: | 3_2_0040E49F | |
| Source: | Code function: | 3_2_004374A3 | |
| Source: | Code function: | 3_2_00427D52 | |
| Source: | Code function: | 3_2_0042856C | |
| Source: | Code function: | 3_2_00415506 | |
| Source: | Code function: | 3_2_00427527 | |
| Source: | Code function: | 3_2_0043EDCE | |
| Source: | Code function: | 3_2_0043F5E0 | |
| Source: | Code function: | 3_2_00437D80 | |
| Source: | Code function: | 3_2_0041D5B0 | |
| Source: | Code function: | 3_2_00406610 | |
| Source: | Code function: | 3_2_0042E617 | |
| Source: | Code function: | 3_2_00405E20 | |
| Source: | Code function: | 3_2_00427E22 | |
| Source: | Code function: | 3_2_00428630 | |
| Source: | Code function: | 3_2_00430637 | |
| Source: | Code function: | 3_2_00426639 | |
| Source: | Code function: | 3_2_00402ED0 | |
| Source: | Code function: | 3_2_00417EEE | |
| Source: | Code function: | 3_2_0043F690 | |
| Source: | Code function: | 3_2_00415E9A | |
| Source: | Code function: | 3_2_00414EA0 | |
| Source: | Code function: | 3_2_0040F6AA | |
| Source: | Code function: | 3_2_0042774C | |
| Source: | Code function: | 3_2_00423750 | |
| Source: | Code function: | 3_2_00421770 | |
| Source: | Code function: | 3_2_0040AF23 | |
| Source: | Code function: | 3_2_0043F730 | |
| Source: | Code function: | 3_2_0043C730 | |
| Source: | Code function: | 3_2_00410FC8 | |
| Source: | Code function: | 3_2_00426FD0 | |
| Source: | Code function: | 3_2_00437FE0 | |
| Source: | Code function: | 3_2_0040A780 | |
| Source: | Code function: | 3_2_0041CFA0 | |
| Source: | Code function: | 3_2_004257AC | |
| Source: | Code function: | 3_2_00671000 | |
| Source: | Code function: | 3_2_0067E094 | |
| Source: | Code function: | 3_2_00696102 | |
| Source: | Code function: | 3_2_00682AA1 | |
| Source: | Code function: | 3_2_006943FF | |
| Source: | Code function: | 3_2_00688D90 | |
| Source: | Code function: | 3_2_00683EA0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_004387D0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0067E76D | |
| Source: | Code function: | 3_2_004488E3 | |
| Source: | Code function: | 3_2_0043F2F2 | |
| Source: | Code function: | 3_2_0067E76D | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00690CF8 | |
| Source: | Code function: | 0_2_00690DA9 | |
| Source: | Code function: | 3_2_00690CF8 | |
| Source: | Code function: | 3_2_00690DA9 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_3-33432 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_0043DA10 | |
| Source: | Code function: | 0_2_006872FD | |
| Source: | Code function: | 0_2_006A619E | |
| Source: | Code function: | 0_2_00671690 | |
| Source: | Code function: | 3_2_00671690 | |
| Source: | Code function: | 0_2_0068C705 | |
| Source: | Code function: | 0_2_0067E06C | |
| Source: | Code function: | 0_2_006872FD | |
| Source: | Code function: | 0_2_0067E420 | |
| Source: | Code function: | 0_2_0067E42C | |
| Source: | Code function: | 3_2_0067E06C | |
| Source: | Code function: | 3_2_006872FD | |
| Source: | Code function: | 3_2_0067E420 | |
| Source: | Code function: | 3_2_0067E42C | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_006A619E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00690062 | |
| Source: | Code function: | 0_2_006908CD | |
| Source: | Code function: | 0_2_0068BA4C | |
| Source: | Code function: | 0_2_006902B3 | |
| Source: | Code function: | 0_2_0069034E | |
| Source: | Code function: | 0_2_006905A1 | |
| Source: | Code function: | 0_2_00690600 | |
| Source: | Code function: | 0_2_006906D5 | |
| Source: | Code function: | 0_2_00690720 | |
| Source: | Code function: | 0_2_0068BFF0 | |
| Source: | Code function: | 0_2_006907C7 | |
| Source: | Code function: | 3_2_00690062 | |
| Source: | Code function: | 3_2_006908CD | |
| Source: | Code function: | 3_2_0068BA4C | |
| Source: | Code function: | 3_2_006902B3 | |
| Source: | Code function: | 3_2_0069034E | |
| Source: | Code function: | 3_2_006905A1 | |
| Source: | Code function: | 3_2_00690600 | |
| Source: | Code function: | 3_2_006906D5 | |
| Source: | Code function: | 3_2_00690720 | |
| Source: | Code function: | 3_2_0068BFF0 | |
| Source: | Code function: | 3_2_006907C7 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0067EB50 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 241 Security Software Discovery | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 3 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 69% | Virustotal | Browse | ||
| 68% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| volcanohushe.click | 104.21.71.155 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.71.155 | volcanohushe.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1581192 |
| Start date and time: | 2024-12-27 08:14:10 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 18s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | uUtgy7BbF1.exerenamed because original name is a hash value |
| Original Sample Name: | 425be48f2d7cc72615c4cdfda5341832.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/1@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 02:15:05 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.71.155 | Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| volcanohushe.click | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | CredGrabber, Meduza Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Gozi, Ursnif | Browse |
| ||
| Get hash | malicious | NetSupport RAT, LummaC, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 15 |
| Entropy (8bit): | 3.906890595608518 |
| Encrypted: | false |
| SSDEEP: | 3:SXhRi75n:SC5 |
| MD5: | 3A33AF4BC7DC9699EE324B91553C2B46 |
| SHA1: | 4CCE2BF1011CA006FAAB23506A349173ACC40434 |
| SHA-256: | 226D20C16ED4D8DDDFD00870E83E3B6EEDEDB86704A7BF43B5826B71D61500AE |
| SHA-512: | 960194C8B60C086520D1A76B94F52BA88AC2DDEC76A18B2D7ABF758FFFF138E9EDD23E62D4375A34072B42FBA51C6D186554B1AA71D60835EF1E18BEB8873B1D |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 0.39346751807127767 |
| TrID: |
|
| File name: | uUtgy7BbF1.exe |
| File size: | 19'414'528 bytes |
| MD5: | 425be48f2d7cc72615c4cdfda5341832 |
| SHA1: | 093d262086312a5f86ec903ea321cfbe0d3bb4fe |
| SHA256: | 4c55b2bc8fb77aaaf71552039073386e76cce6ee45fee54d2c8fd84aba97d691 |
| SHA512: | d038f7255a91a0fb02268fb920a1bb5db4502e18c5f2ace67a1ccc384cd3ef1567eaafb7ff727436ce84d7d265027a2e7cb2fedfa9da7af65bf3fe49e7e8e847 |
| SSDEEP: | 12288:luB9du8NOZx84E5YoS7OJlnDYrPLPJgu4dgT6lYDfAmy/yqvkkheLk:u9du88Zx8VAeDgPLxZ4GO+y5heQ |
| TLSH: | FD17D011B58CC0F2D863147758B6EBAA863EB9200F226ADFB7940D7ACF352D19731716 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...WZig..........".................R.............@.......................................@.................................dH..<.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x40ef52 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67695A57 [Mon Dec 23 12:40:55 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 5cc7e689f2864a0a9a8589c00efad8df |
| Instruction |
|---|
| call 00007F28306D4D6Ah |
| jmp 00007F28306D4BD9h |
| mov ecx, dword ptr [00436840h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F28306D4D66h |
| test esi, ecx |
| jne 00007F28306D4D88h |
| call 00007F28306D4D91h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F28306D4D69h |
| mov ecx, BB40E64Fh |
| jmp 00007F28306D4D70h |
| test esi, ecx |
| jne 00007F28306D4D6Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [00436840h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [00436880h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [00434AC4h] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00434A78h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [00434A74h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [00434B0Ch] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 00437E18h |
| call dword ptr [00434AE4h] |
| ret |
| mov al, 01h |
| ret |
| push 00030000h |
| push 00010000h |
| push 00000000h |
| call 00007F28306DC54Bh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x34864 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3a000 | 0x1d70 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x30d08 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2d008 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x34a0c | 0x16c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2a52b | 0x2a600 | ca7697ad91eaacd837ed51179759a947 | False | 0.5367809734513275 | data | 6.539348053061756 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2c000 | 0x9d7c | 0x9e00 | 964f1e27d13bf05fbdae349f651c8112 | False | 0.4288221914556962 | data | 4.95389314063731 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x36000 | 0x25e4 | 0x1600 | f9cffcfbe2a982ed0d73caf2c5c26405 | False | 0.40678267045454547 | data | 4.770466622070642 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x39000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x3a000 | 0x1d70 | 0x1e00 | 050a442cf25b388dea29342e31853d9f | False | 0.7709635416666667 | data | 6.524650010128688 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .bss | 0x3c000 | 0x4be00 | 0x4be00 | efc7aa847f859737dfbd486ef2521483 | False | 1.0003249845551894 | data | 7.999368503304723 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| USER32.dll | DefWindowProcW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T08:15:04.525486+0100 | 2058534 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (volcanohushe .click) | 1 | 192.168.2.9 | 55687 | 1.1.1.1 | 53 | UDP |
| 2024-12-27T08:15:06.163000+0100 | 2058535 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (volcanohushe .click in TLS SNI) | 1 | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:06.163000+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:06.908362+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:06.908362+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:08.351844+0100 | 2058535 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (volcanohushe .click in TLS SNI) | 1 | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:08.351844+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:09.131944+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:09.131944+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:10.869660+0100 | 2058535 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (volcanohushe .click in TLS SNI) | 1 | 192.168.2.9 | 49719 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:10.869660+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.9 | 49719 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:13.916099+0100 | 2058535 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (volcanohushe .click in TLS SNI) | 1 | 192.168.2.9 | 49725 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:13.916099+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.9 | 49725 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:16.622137+0100 | 2058535 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (volcanohushe .click in TLS SNI) | 1 | 192.168.2.9 | 49731 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:16.622137+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.9 | 49731 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:18.188581+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.9 | 49731 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:19.857325+0100 | 2058535 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (volcanohushe .click in TLS SNI) | 1 | 192.168.2.9 | 49742 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:19.857325+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.9 | 49742 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:22.743964+0100 | 2058535 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (volcanohushe .click in TLS SNI) | 1 | 192.168.2.9 | 49750 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:22.743964+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.9 | 49750 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:22.750164+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.9 | 49750 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:26.672861+0100 | 2058535 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (volcanohushe .click in TLS SNI) | 1 | 192.168.2.9 | 49758 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:26.672861+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.9 | 49758 | 104.21.71.155 | 443 | TCP |
| 2024-12-27T08:15:27.536196+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.9 | 49758 | 104.21.71.155 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 08:15:04.892524958 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:04.892576933 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:04.892676115 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:04.895401001 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:04.895436049 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.162899017 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.163000107 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.165913105 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.165929079 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.166245937 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.210073948 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.211788893 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.211810112 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.211947918 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.908413887 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.908526897 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.908629894 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.910610914 CET | 49707 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.910625935 CET | 443 | 49707 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.919159889 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.919204950 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:06.919270992 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.919518948 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:06.919528961 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:08.351775885 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:08.351844072 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:08.356193066 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:08.356211901 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:08.356566906 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:08.358824015 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:08.358949900 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:08.360304117 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.131970882 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.132024050 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.132080078 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.132095098 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.132117033 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.132144928 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.138689041 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.138776064 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.138802052 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.159404993 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.159517050 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.159538984 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.190167904 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.190263033 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.190285921 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.241365910 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.251445055 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.303818941 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.332864046 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.337515116 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.337551117 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.337631941 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.337646008 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.337698936 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.337932110 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.337950945 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.337975025 CET | 49708 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.337980986 CET | 443 | 49708 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.546960115 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.546991110 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:09.547060013 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.547425985 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:09.547446012 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:10.869559050 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:10.869659901 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:10.870923996 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:10.870938063 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:10.871181965 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:10.872395992 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:10.872560978 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:10.872589111 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:12.568327904 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:12.568428993 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:12.568515062 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:12.568711042 CET | 49719 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:12.568732977 CET | 443 | 49719 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:12.657908916 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:12.658008099 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:12.658119917 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:12.658474922 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:12.658510923 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:13.916021109 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:13.916099072 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:13.917274952 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:13.917293072 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:13.917567968 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:13.918742895 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:13.918879986 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:13.918910027 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:13.918984890 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:13.959383011 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:15.109813929 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:15.109913111 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:15.110071898 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:15.110188961 CET | 49725 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:15.110232115 CET | 443 | 49725 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:15.317234993 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:15.317296982 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:15.317368031 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:15.317856073 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:15.317867994 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:16.622030020 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:16.622137070 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:16.629961014 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:16.629997015 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:16.630201101 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:16.631650925 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:16.631778955 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:16.631819010 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:16.631902933 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:16.631912947 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:18.188595057 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:18.188690901 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:18.188747883 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:18.188880920 CET | 49731 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:18.188910007 CET | 443 | 49731 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:18.599653959 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:18.599689960 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:18.599757910 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:18.600128889 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:18.600147963 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:19.857243061 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:19.857325077 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:19.858635902 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:19.858659029 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:19.858944893 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:19.860222101 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:19.860352039 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:19.860357046 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:20.959430933 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:20.959547043 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:20.959695101 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:20.959875107 CET | 49742 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:20.959903955 CET | 443 | 49742 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:21.532475948 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:21.532524109 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:21.532597065 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:21.532932043 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:21.532943964 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.743887901 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.743963957 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.746526003 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.746540070 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.746757984 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.748864889 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.749504089 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.749535084 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.749634027 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.749669075 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.749763966 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.749780893 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.749902964 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.749932051 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.750061989 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.750094891 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.750611067 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.750638962 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.750647068 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.750827074 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.750859022 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.795330048 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.796405077 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.796459913 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.796479940 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.839329958 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.839803934 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.839858055 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.839888096 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.887334108 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:22.887470007 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:22.931330919 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:23.222964048 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:25.172002077 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:25.172086954 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:25.176258087 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:25.223342896 CET | 49750 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:25.223364115 CET | 443 | 49750 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:25.362607002 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:25.362638950 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:25.362724066 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:25.362966061 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:25.362988949 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:26.672748089 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:26.672861099 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:26.674269915 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:26.674287081 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:26.675586939 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:26.722944975 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:26.722944975 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:26.723059893 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.536155939 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.536218882 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.536254883 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.536282063 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.536313057 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.536341906 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.536345959 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.536366940 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.536396980 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.536406994 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.544545889 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.544672966 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.544677973 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.561438084 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.561552048 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.561559916 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.565411091 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.565498114 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.565515995 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.565563917 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.565687895 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.565704107 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Dec 27, 2024 08:15:27.565726995 CET | 49758 | 443 | 192.168.2.9 | 104.21.71.155 |
| Dec 27, 2024 08:15:27.565732002 CET | 443 | 49758 | 104.21.71.155 | 192.168.2.9 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 08:15:04.525485992 CET | 55687 | 53 | 192.168.2.9 | 1.1.1.1 |
| Dec 27, 2024 08:15:04.881269932 CET | 53 | 55687 | 1.1.1.1 | 192.168.2.9 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 27, 2024 08:15:04.525485992 CET | 192.168.2.9 | 1.1.1.1 | 0x3151 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 27, 2024 08:15:04.881269932 CET | 1.1.1.1 | 192.168.2.9 | 0x3151 | No error (0) | 104.21.71.155 | A (IP address) | IN (0x0001) | false | ||
| Dec 27, 2024 08:15:04.881269932 CET | 1.1.1.1 | 192.168.2.9 | 0x3151 | No error (0) | 172.67.145.201 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.9 | 49707 | 104.21.71.155 | 443 | 7580 | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:15:06 UTC | 265 | OUT | |
| 2024-12-27 07:15:06 UTC | 8 | OUT | |
| 2024-12-27 07:15:06 UTC | 1125 | IN | |
| 2024-12-27 07:15:06 UTC | 7 | IN | |
| 2024-12-27 07:15:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.9 | 49708 | 104.21.71.155 | 443 | 7580 | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:15:08 UTC | 266 | OUT | |
| 2024-12-27 07:15:08 UTC | 50 | OUT | |
| 2024-12-27 07:15:09 UTC | 1127 | IN | |
| 2024-12-27 07:15:09 UTC | 242 | IN | |
| 2024-12-27 07:15:09 UTC | 1369 | IN | |
| 2024-12-27 07:15:09 UTC | 1369 | IN | |
| 2024-12-27 07:15:09 UTC | 1369 | IN | |
| 2024-12-27 07:15:09 UTC | 1369 | IN | |
| 2024-12-27 07:15:09 UTC | 1369 | IN | |
| 2024-12-27 07:15:09 UTC | 1369 | IN | |
| 2024-12-27 07:15:09 UTC | 1369 | IN | |
| 2024-12-27 07:15:09 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.9 | 49719 | 104.21.71.155 | 443 | 7580 | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:15:10 UTC | 284 | OUT | |
| 2024-12-27 07:15:10 UTC | 12848 | OUT | |
| 2024-12-27 07:15:12 UTC | 1135 | IN | |
| 2024-12-27 07:15:12 UTC | 20 | IN | |
| 2024-12-27 07:15:12 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.9 | 49725 | 104.21.71.155 | 443 | 7580 | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:15:13 UTC | 274 | OUT | |
| 2024-12-27 07:15:13 UTC | 15006 | OUT | |
| 2024-12-27 07:15:15 UTC | 1131 | IN | |
| 2024-12-27 07:15:15 UTC | 20 | IN | |
| 2024-12-27 07:15:15 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.9 | 49731 | 104.21.71.155 | 443 | 7580 | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:15:16 UTC | 282 | OUT | |
| 2024-12-27 07:15:16 UTC | 15331 | OUT | |
| 2024-12-27 07:15:16 UTC | 5239 | OUT | |
| 2024-12-27 07:15:18 UTC | 1140 | IN | |
| 2024-12-27 07:15:18 UTC | 20 | IN | |
| 2024-12-27 07:15:18 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.9 | 49742 | 104.21.71.155 | 443 | 7580 | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:15:19 UTC | 277 | OUT | |
| 2024-12-27 07:15:19 UTC | 1198 | OUT | |
| 2024-12-27 07:15:20 UTC | 1131 | IN | |
| 2024-12-27 07:15:20 UTC | 20 | IN | |
| 2024-12-27 07:15:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.9 | 49750 | 104.21.71.155 | 443 | 7580 | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:15:22 UTC | 280 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:22 UTC | 15331 | OUT | |
| 2024-12-27 07:15:25 UTC | 1153 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.9 | 49758 | 104.21.71.155 | 443 | 7580 | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 07:15:26 UTC | 266 | OUT | |
| 2024-12-27 07:15:26 UTC | 85 | OUT | |
| 2024-12-27 07:15:27 UTC | 1124 | IN | |
| 2024-12-27 07:15:27 UTC | 245 | IN | |
| 2024-12-27 07:15:27 UTC | 1369 | IN | |
| 2024-12-27 07:15:27 UTC | 1369 | IN | |
| 2024-12-27 07:15:27 UTC | 1369 | IN | |
| 2024-12-27 07:15:27 UTC | 1369 | IN | |
| 2024-12-27 07:15:27 UTC | 1369 | IN | |
| 2024-12-27 07:15:27 UTC | 1369 | IN | |
| 2024-12-27 07:15:27 UTC | 1369 | IN | |
| 2024-12-27 07:15:27 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:15:01 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x670000 |
| File size: | 19'414'528 bytes |
| MD5 hash: | 425BE48F2D7CC72615C4CDFDA5341832 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 02:15:01 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70f010000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 02:15:02 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\uUtgy7BbF1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x670000 |
| File size: | 19'414'528 bytes |
| MD5 hash: | 425BE48F2D7CC72615C4CDFDA5341832 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 10% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 1.2% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 32 |
Graph
Function 006A619E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068BD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00671860 Relevance: 9.2, APIs: 6, Instructions: 162fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00684B24 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00671700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068481D Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006849B3 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068C862 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00684935 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00671B70 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068AD27 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00671EA0 Relevance: 1.8, APIs: 1, Instructions: 289COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067CE13 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068AD61 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006907C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690DA9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067E42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0069034E Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067E094 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690CF8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690600 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00683EA0 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00682AA1 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690720 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006908CD Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067E420 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068C705 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00671000 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00671690 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068DC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067EB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00698A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068A3BC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00684A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068C516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067E8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068F766 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006952C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00681652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00691F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00672A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067EFA7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068A7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068A04C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5.3% |
| Dynamic/Decrypted Code Coverage: | 6.9% |
| Signature Coverage: | 29.7% |
| Total number of Nodes: | 232 |
| Total number of Limit Nodes: | 19 |
Graph
Function 00411BC0 Relevance: 143.9, APIs: 3, Strings: 78, Instructions: 2186COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004387D0 Relevance: 32.3, APIs: 11, Strings: 7, Instructions: 776memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 038A1000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409400 Relevance: 7.9, Strings: 6, Instructions: 366COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417745 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440770 Relevance: 1.5, Strings: 1, Instructions: 297COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DA10 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D11B Relevance: 1.4, Strings: 1, Instructions: 195COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D0CD Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D4E1 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004085B0 Relevance: 7.6, APIs: 5, Instructions: 87threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CAD6 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BDF4 Relevance: 3.1, APIs: 2, Instructions: 99COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BDEE Relevance: 3.1, APIs: 2, Instructions: 84COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E9A1 Relevance: 3.0, APIs: 2, Instructions: 16COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BD74 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D990 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432919 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E1EE Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CC67 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BD40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BD20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00433500 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 121clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042856C Relevance: 9.3, Strings: 7, Instructions: 519COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428630 Relevance: 9.3, Strings: 7, Instructions: 514COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004257AC Relevance: 9.3, Strings: 7, Instructions: 503COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426430 Relevance: 9.1, Strings: 7, Instructions: 396COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006907C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D5B0 Relevance: 8.5, Strings: 6, Instructions: 1030COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B9A0 Relevance: 6.8, Strings: 5, Instructions: 597COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690DA9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067E42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417207 Relevance: 5.4, Strings: 4, Instructions: 423COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415506 Relevance: 4.1, Strings: 3, Instructions: 328COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A3A0 Relevance: 3.9, Strings: 3, Instructions: 173COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042963E Relevance: 3.9, Strings: 3, Instructions: 150COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426639 Relevance: 3.1, Strings: 2, Instructions: 613COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E49F Relevance: 2.8, Strings: 2, Instructions: 259COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004142A0 Relevance: 2.4, Strings: 1, Instructions: 1107COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415E9A Relevance: 1.7, Strings: 1, Instructions: 496COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004393D0 Relevance: 1.7, Strings: 1, Instructions: 454COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421B00 Relevance: 1.7, Strings: 1, Instructions: 440COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417AB8 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440450 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B8BD Relevance: 1.4, Strings: 1, Instructions: 198COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B963 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BB66 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B25A Relevance: 1.4, Strings: 1, Instructions: 153COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BB60 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C4AE Relevance: 1.3, Strings: 1, Instructions: 63COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041864E Relevance: 1.3, Strings: 1, Instructions: 57COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E450 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409EB9 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DB10 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004073F0 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F730 Relevance: .6, Instructions: 579COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004058D0 Relevance: .4, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004163C0 Relevance: .4, Instructions: 395COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440180 Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CEA0 Relevance: .2, Instructions: 214COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B215 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AF23 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D907 Relevance: .2, Instructions: 165COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418DC5 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418F52 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D325 Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004167E1 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416896 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041598C Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435F00 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429E80 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C89E Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004158FC Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402B70 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B3BB Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F286 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417A75 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424F80 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043234E Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 161memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432019 Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 159memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068DC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068BD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067EB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00698A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068A3BC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00684A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068C516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00671860 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067E8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068F766 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006952C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00690B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00681652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00691F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00672A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0067EFA7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068A7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0068A04C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|