Edit tour
Windows
Analysis Report
WonderHack.exe
Overview
General Information
| Sample name: | WonderHack.exe |
| Analysis ID: | 1581508 |
| MD5: | 83614dc842994c0adabd914b7273d6cc |
| SHA1: | 4600ed64d6d42dec8f26d503b3af6af2c183a44f |
| SHA256: | 848ccff6a8e523f7e0a7a787b480adad7cf7d0ec6a93362a6a3e94e0e5e93e8d |
| Tags: | exeLummaStealersigneduser-ventoy |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
WonderHack.exe (PID: 4760 cmdline: "C:\Users\ user\Deskt op\WonderH ack.exe" MD5: 83614DC842994C0ADABD914B7273D6CC) 
conhost.exe (PID: 5272 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WonderHack.exe (PID: 6152 cmdline:
"C:\Users\ user\Deskt op\WonderH ack.exe" MD5: 83614DC842994C0ADABD914B7273D6CC)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["scentniej.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "appliacnesot.buzz", "undesirabkel.click", "cashfuzysao.buzz", "hummskitnj.buzz", "inherineau.buzz", "screwamusresz.buzz"], "Build id": "LPnhqo--ybzklzpanlwp"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:14:57.031822+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:14:59.248165+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:01.741831+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49710 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:04.391250+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49711 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:07.061805+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49712 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:09.814998+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49713 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:12.803297+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49714 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:15.432371+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49720 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:14:57.931139+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:00.027960+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:14:57.931139+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:15:00.027960+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:14:57.031822+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:14:59.248165+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:01.741831+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49710 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:04.391250+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49711 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:07.061805+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49712 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:09.814998+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49713 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:12.803297+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49714 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:15.432371+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49720 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:14:55.472761+0100 | 2058550 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 58235 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:15:10.600667+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49713 | 104.21.30.13 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_2_00415640 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_001B1F38 | |
| Source: | Code function: | 0_2_001B1FE9 | |
| Source: | Code function: | 3_2_001B1F38 | |
| Source: | Code function: | 3_2_001B1FE9 | |
| Source: | Code function: | 3_2_00426230 | |
| Source: | Code function: | 3_2_004192C0 | |
| Source: | Code function: | 3_2_0043DAA0 | |
| Source: | Code function: | 3_2_0040D35C | |
| Source: | Code function: | 3_2_0043DBB0 | |
| Source: | Code function: | 3_2_0043C59C | |
| Source: | Code function: | 3_2_0043EEC0 | |
| Source: | Code function: | 3_2_0043EEC0 | |
| Source: | Code function: | 3_2_0042BF45 | |
| Source: | Code function: | 3_2_0043F040 | |
| Source: | Code function: | 3_2_0043F040 | |
| Source: | Code function: | 3_2_0042B078 | |
| Source: | Code function: | 3_2_0043A800 | |
| Source: | Code function: | 3_2_0043A800 | |
| Source: | Code function: | 3_2_0043A800 | |
| Source: | Code function: | 3_2_0043A800 | |
| Source: | Code function: | 3_2_0043B813 | |
| Source: | Code function: | 3_2_0043E8D0 | |
| Source: | Code function: | 3_2_004210F3 | |
| Source: | Code function: | 3_2_00418095 | |
| Source: | Code function: | 3_2_0042C894 | |
| Source: | Code function: | 3_2_004290B0 | |
| Source: | Code function: | 3_2_004290B0 | |
| Source: | Code function: | 3_2_0043D140 | |
| Source: | Code function: | 3_2_0041D172 | |
| Source: | Code function: | 3_2_0042C9DA | |
| Source: | Code function: | 3_2_0042C9E9 | |
| Source: | Code function: | 3_2_0042C984 | |
| Source: | Code function: | 3_2_0041D189 | |
| Source: | Code function: | 3_2_004259B0 | |
| Source: | Code function: | 3_2_00414A50 | |
| Source: | Code function: | 3_2_00414A50 | |
| Source: | Code function: | 3_2_00414A50 | |
| Source: | Code function: | 3_2_00414A50 | |
| Source: | Code function: | 3_2_00414A50 | |
| Source: | Code function: | 3_2_0041720B | |
| Source: | Code function: | 3_2_0041720B | |
| Source: | Code function: | 3_2_00408A20 | |
| Source: | Code function: | 3_2_00428290 | |
| Source: | Code function: | 3_2_00407440 | |
| Source: | Code function: | 3_2_00407440 | |
| Source: | Code function: | 3_2_0041CC60 | |
| Source: | Code function: | 3_2_0043B46A | |
| Source: | Code function: | 3_2_0043BC14 | |
| Source: | Code function: | 3_2_0043BC14 | |
| Source: | Code function: | 3_2_00416D52 | |
| Source: | Code function: | 3_2_0041D560 | |
| Source: | Code function: | 3_2_00437D00 | |
| Source: | Code function: | 3_2_0041AD81 | |
| Source: | Code function: | 3_2_00429DA0 | |
| Source: | Code function: | 3_2_0040EDB4 | |
| Source: | Code function: | 3_2_0040EDB4 | |
| Source: | Code function: | 3_2_00428640 | |
| Source: | Code function: | 3_2_0043BCDB | |
| Source: | Code function: | 3_2_004146C0 | |
| Source: | Code function: | 3_2_004266C0 | |
| Source: | Code function: | 3_2_004226D3 | |
| Source: | Code function: | 3_2_00423FF1 | |
| Source: | Code function: | 3_2_00423FF1 | |
| Source: | Code function: | 3_2_00437790 | |
| Source: | Code function: | 3_2_00437790 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_00431B10 | |
| Source: | Code function: | 3_2_00431B10 | |
| Source: | Code function: | 3_2_00431D10 | |
| Source: | Code function: | 0_2_00191000 | |
| Source: | Code function: | 0_2_0019F555 | |
| Source: | Code function: | 0_2_001B7792 | |
| Source: | Code function: | 0_2_001B5C5E | |
| Source: | Code function: | 0_2_001A9CC0 | |
| Source: | Code function: | 0_2_001A3FB2 | |
| Source: | Code function: | 3_2_00191000 | |
| Source: | Code function: | 3_2_0019F555 | |
| Source: | Code function: | 3_2_001B7792 | |
| Source: | Code function: | 3_2_001B5C5E | |
| Source: | Code function: | 3_2_001A9CC0 | |
| Source: | Code function: | 3_2_001A3FB2 | |
| Source: | Code function: | 3_2_0043A0D0 | |
| Source: | Code function: | 3_2_004368A0 | |
| Source: | Code function: | 3_2_00426230 | |
| Source: | Code function: | 3_2_0040D35C | |
| Source: | Code function: | 3_2_00436BF0 | |
| Source: | Code function: | 3_2_0043DBB0 | |
| Source: | Code function: | 3_2_0040E465 | |
| Source: | Code function: | 3_2_0043E540 | |
| Source: | Code function: | 3_2_00421550 | |
| Source: | Code function: | 3_2_00415640 | |
| Source: | Code function: | 3_2_0042BF45 | |
| Source: | Code function: | 3_2_00410F71 | |
| Source: | Code function: | 3_2_00408720 | |
| Source: | Code function: | 3_2_0041D840 | |
| Source: | Code function: | 3_2_0041A800 | |
| Source: | Code function: | 3_2_0043A800 | |
| Source: | Code function: | 3_2_0043B813 | |
| Source: | Code function: | 3_2_00419820 | |
| Source: | Code function: | 3_2_0041683F | |
| Source: | Code function: | 3_2_0043483C | |
| Source: | Code function: | 3_2_004220C0 | |
| Source: | Code function: | 3_2_004380C5 | |
| Source: | Code function: | 3_2_004460D5 | |
| Source: | Code function: | 3_2_004230E0 | |
| Source: | Code function: | 3_2_004270F9 | |
| Source: | Code function: | 3_2_00418095 | |
| Source: | Code function: | 3_2_0042C894 | |
| Source: | Code function: | 3_2_0043D140 | |
| Source: | Code function: | 3_2_0040B14F | |
| Source: | Code function: | 3_2_00403960 | |
| Source: | Code function: | 3_2_00405970 | |
| Source: | Code function: | 3_2_0040C97C | |
| Source: | Code function: | 3_2_00435135 | |
| Source: | Code function: | 3_2_004061D0 | |
| Source: | Code function: | 3_2_0042C9DA | |
| Source: | Code function: | 3_2_0042C9E9 | |
| Source: | Code function: | 3_2_0043E1F0 | |
| Source: | Code function: | 3_2_0042C984 | |
| Source: | Code function: | 3_2_004259B0 | |
| Source: | Code function: | 3_2_00427A40 | |
| Source: | Code function: | 3_2_0043D240 | |
| Source: | Code function: | 3_2_00414A50 | |
| Source: | Code function: | 3_2_0041C205 | |
| Source: | Code function: | 3_2_0041720B | |
| Source: | Code function: | 3_2_00408A20 | |
| Source: | Code function: | 3_2_0041E230 | |
| Source: | Code function: | 3_2_0041AAE0 | |
| Source: | Code function: | 3_2_0042C289 | |
| Source: | Code function: | 3_2_00409290 | |
| Source: | Code function: | 3_2_00411A94 | |
| Source: | Code function: | 3_2_0040F2A0 | |
| Source: | Code function: | 3_2_00417B75 | |
| Source: | Code function: | 3_2_00404310 | |
| Source: | Code function: | 3_2_00431B10 | |
| Source: | Code function: | 3_2_0040AB20 | |
| Source: | Code function: | 3_2_0043D320 | |
| Source: | Code function: | 3_2_0042A3B0 | |
| Source: | Code function: | 3_2_0043D3B0 | |
| Source: | Code function: | 3_2_00407440 | |
| Source: | Code function: | 3_2_00428C46 | |
| Source: | Code function: | 3_2_00404C50 | |
| Source: | Code function: | 3_2_0041DC50 | |
| Source: | Code function: | 3_2_0043D450 | |
| Source: | Code function: | 3_2_00423C60 | |
| Source: | Code function: | 3_2_004164E0 | |
| Source: | Code function: | 3_2_004374F0 | |
| Source: | Code function: | 3_2_0041D560 | |
| Source: | Code function: | 3_2_00421D10 | |
| Source: | Code function: | 3_2_0043A510 | |
| Source: | Code function: | 3_2_00427D94 | |
| Source: | Code function: | 3_2_00425640 | |
| Source: | Code function: | 3_2_00406660 | |
| Source: | Code function: | 3_2_00419605 | |
| Source: | Code function: | 3_2_00405E30 | |
| Source: | Code function: | 3_2_004266C0 | |
| Source: | Code function: | 3_2_0042FEC0 | |
| Source: | Code function: | 3_2_004226D3 | |
| Source: | Code function: | 3_2_00437EA0 | |
| Source: | Code function: | 3_2_0043DEB0 | |
| Source: | Code function: | 3_2_00402F40 | |
| Source: | Code function: | 3_2_0041F700 | |
| Source: | Code function: | 3_2_00409710 | |
| Source: | Code function: | 3_2_0041DFC0 | |
| Source: | Code function: | 3_2_0042DFC3 | |
| Source: | Code function: | 3_2_00435FF0 | |
| Source: | Code function: | 3_2_00423FF1 | |
| Source: | Code function: | 3_2_00437790 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_00436BF0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0019FB96 | |
| Source: | Code function: | 3_2_0019FB96 | |
| Source: | Code function: | 3_2_0043D0F1 | |
| Source: | Code function: | 3_2_0044494C | |
| Source: | Code function: | 3_2_00441AA4 | |
| Source: | Code function: | 3_2_0043A48E | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-20524 | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_001B1F38 | |
| Source: | Code function: | 0_2_001B1FE9 | |
| Source: | Code function: | 3_2_001B1F38 | |
| Source: | Code function: | 3_2_001B1FE9 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_0043BAD0 | |
| Source: | Code function: | 0_2_0019F8E9 | |
| Source: | Code function: | 0_2_001CA19E | |
| Source: | Code function: | 0_2_00191FB0 | |
| Source: | Code function: | 3_2_00191FB0 | |
| Source: | Code function: | 0_2_001AD8E0 | |
| Source: | Code function: | 0_2_0019F52D | |
| Source: | Code function: | 0_2_0019F8DD | |
| Source: | Code function: | 0_2_0019F8E9 | |
| Source: | Code function: | 0_2_001A7E30 | |
| Source: | Code function: | 3_2_0019F52D | |
| Source: | Code function: | 3_2_0019F8DD | |
| Source: | Code function: | 3_2_0019F8E9 | |
| Source: | Code function: | 3_2_001A7E30 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_001CA19E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_001AD1BD | |
| Source: | Code function: | 0_2_001B1287 | |
| Source: | Code function: | 0_2_001B14D8 | |
| Source: | Code function: | 0_2_001B1580 | |
| Source: | Code function: | 0_2_001B17D3 | |
| Source: | Code function: | 0_2_001B1840 | |
| Source: | Code function: | 0_2_001B1915 | |
| Source: | Code function: | 0_2_001B1960 | |
| Source: | Code function: | 0_2_001B1A07 | |
| Source: | Code function: | 0_2_001B1B0D | |
| Source: | Code function: | 0_2_001ACC15 | |
| Source: | Code function: | 3_2_001AD1BD | |
| Source: | Code function: | 3_2_001B1287 | |
| Source: | Code function: | 3_2_001B14D8 | |
| Source: | Code function: | 3_2_001B1580 | |
| Source: | Code function: | 3_2_001B17D3 | |
| Source: | Code function: | 3_2_001B1840 | |
| Source: | Code function: | 3_2_001B1915 | |
| Source: | Code function: | 3_2_001B1960 | |
| Source: | Code function: | 3_2_001B1A07 | |
| Source: | Code function: | 3_2_001B1B0D | |
| Source: | Code function: | 3_2_001ACC15 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_001A00B4 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 241 Security Software Discovery | SMB/Windows Admin Shares | 4 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| undesirabkel.click | 104.21.30.13 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.30.13 | undesirabkel.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1581508 |
| Start date and time: | 2024-12-27 23:14:07 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 47s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | WonderHack.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/1@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: WonderHack.exe
| Time | Type | Description |
|---|---|---|
| 17:14:56 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.30.13 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\WonderHack.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 14402 |
| Entropy (8bit): | 4.874636730022465 |
| Encrypted: | false |
| SSDEEP: | 384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo |
| MD5: | DF0EFD0545733561C6E165770FB3661C |
| SHA1: | 0F3AD477176CF235C6C59EE2EB15D81DCB6178A8 |
| SHA-256: | A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17 |
| SHA-512: | 3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.558414427397498 |
| TrID: |
|
| File name: | WonderHack.exe |
| File size: | 561'192 bytes |
| MD5: | 83614dc842994c0adabd914b7273d6cc |
| SHA1: | 4600ed64d6d42dec8f26d503b3af6af2c183a44f |
| SHA256: | 848ccff6a8e523f7e0a7a787b480adad7cf7d0ec6a93362a6a3e94e0e5e93e8d |
| SHA512: | 6f7b44a2ef78d18a506e13ac222da847294c9bd22f633b36aa4f5ebafe1adacca0c012f705aceae5275c62f75b83a2abed51f675229254be6d887142fb404c98 |
| SSDEEP: | 12288:8YO6Dqzihouxpa+yWpYa2q+I3jv6W4tCbgzvPoJgBwg0rPEO:5O6DThou2+yAYq+c4tEqv4WQrPt |
| TLSH: | B7C4D0027690C0B2C56316779AB9D779093FB8200F6257DB97A84BBDDEB02C14F31A6D |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@.................................oE....@.................................|j..<.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x4104a0 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 96d90e8808da099bc17e050394f447e7 |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 5F1B6B6C408DB2B4D60BAA489E9A0E5A |
| Thumbprint SHA-1: | 15F760D82C79D22446CC7D4806540BF632B1E104 |
| Thumbprint SHA-256: | 28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D |
| Serial: | 0997C56CAA59055394D9A9CDB8BEEB56 |
| Instruction |
|---|
| call 00007F4BF4DC8FCAh |
| jmp 00007F4BF4DC8E2Dh |
| mov ecx, dword ptr [0043B680h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F4BF4DC8FC6h |
| test esi, ecx |
| jne 00007F4BF4DC8FE8h |
| call 00007F4BF4DC8FF1h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F4BF4DC8FC9h |
| mov ecx, BB40E64Fh |
| jmp 00007F4BF4DC8FD0h |
| test esi, ecx |
| jne 00007F4BF4DC8FCCh |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [0043B680h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [0043B6C0h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [00436D00h] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00436CB8h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [00436CB4h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [00436D50h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 0043CF48h |
| call dword ptr [00436D28h] |
| ret |
| push 00030000h |
| push 00010000h |
| push 00000000h |
| call 00007F4BF4DCFDA3h |
| add esp, 0Ch |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x36a7c | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8c000 | 0x3fc | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x86a00 | 0x2628 | .bss |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3f000 | 0x2744 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x32608 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2ea98 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x36c3c | 0x184 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2b4ca | 0x2b600 | ebf84c6b836020b1a66433a898baeab7 | False | 0.5443702719740634 | data | 6.596404756541432 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2d000 | 0xc50c | 0xc600 | 96e76e7ef084461591b1dcd4c2131f05 | False | 0.40260022095959597 | data | 4.741850626178578 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3a000 | 0x3714 | 0x2800 | d87fd4546a2b39263a028b496b33108f | False | 0.29814453125 | data | 5.024681407682101 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x3e000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x3f000 | 0x2744 | 0x2800 | c7508b57e36483307c47b7dd73fc0c85 | False | 0.75166015625 | data | 6.531416896423856 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .bss | 0x42000 | 0x49200 | 0x49200 | efcbe068df8492502064bc01a592f7ae | False | 1.0003372061965812 | data | 7.999341172781042 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x8c000 | 0x3fc | 0x400 | 05b707b97d801ccd31a47ec3bf42267d | False | 0.443359375 | data | 3.391431520369637 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x8c058 | 0x3a4 | data | English | United States | 0.44849785407725323 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| USER32.dll | ShowWindow |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:14:55.472761+0100 | 2058550 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click) | 1 | 192.168.2.5 | 58235 | 1.1.1.1 | 53 | UDP |
| 2024-12-27T23:14:57.031822+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:14:57.031822+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:14:57.931139+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:14:57.931139+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:14:59.248165+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:14:59.248165+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:00.027960+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:00.027960+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:01.741831+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.5 | 49710 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:01.741831+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49710 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:04.391250+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.5 | 49711 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:04.391250+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49711 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:07.061805+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.5 | 49712 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:07.061805+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49712 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:09.814998+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.5 | 49713 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:09.814998+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49713 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:10.600667+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49713 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:12.803297+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.5 | 49714 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:12.803297+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49714 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:15.432371+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.5 | 49720 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:15:15.432371+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49720 | 104.21.30.13 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 23:14:55.810376883 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:55.810425043 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:55.810523033 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:55.811666965 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:55.811678886 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.031717062 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.031821966 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.086596012 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.086612940 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.086895943 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.135436058 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.191932917 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.191963911 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.192047119 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.931139946 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.931231022 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.931283951 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.932908058 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.932925940 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.932936907 CET | 49708 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.932941914 CET | 443 | 49708 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.941824913 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.941864967 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:57.941935062 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.942873955 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:57.942888975 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:59.248079062 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:59.248164892 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:59.249546051 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:59.249551058 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:59.249773979 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:14:59.251034975 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:59.251050949 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:14:59.251096964 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.027951002 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.028007030 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.028033972 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.028064966 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.028100967 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.028101921 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.028119087 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.028131962 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.028162956 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.036092043 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.043262959 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.043330908 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.043340921 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.051676989 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.051733017 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.051740885 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.104212046 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.147525072 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.189771891 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.189798117 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.241803885 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.241837025 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.241859913 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.241898060 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.241913080 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.241951942 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.241983891 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.242465019 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.242481947 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.242492914 CET | 49709 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.242496967 CET | 443 | 49709 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.483715057 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.483746052 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:00.483844042 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.484167099 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:00.484177113 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:01.741661072 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:01.741831064 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:01.743129015 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:01.743134975 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:01.743345022 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:01.744570017 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:01.744723082 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:01.744750023 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:02.718935013 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:02.719017982 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:02.719118118 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:02.737610102 CET | 49710 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:02.737621069 CET | 443 | 49710 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:03.116529942 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:03.116578102 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:03.116647959 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:03.117028952 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:03.117043018 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:04.391082048 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:04.391249895 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:04.393956900 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:04.393970966 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:04.394174099 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:04.398793936 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:04.400872946 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:04.400913000 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:04.400983095 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:04.443332911 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:05.239176989 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:05.239255905 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:05.239427090 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:05.239552021 CET | 49711 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:05.239573956 CET | 443 | 49711 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:05.468447924 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:05.468542099 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:05.468655109 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:05.469002962 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:05.469039917 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:07.061579943 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:07.061805010 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:07.063210964 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:07.063232899 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:07.063579082 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:07.064982891 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:07.065182924 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:07.065226078 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:07.065299034 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:07.065315008 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:08.043562889 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:08.043668985 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:08.043735027 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:08.043860912 CET | 49712 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:08.043896914 CET | 443 | 49712 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:08.529710054 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:08.529761076 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:08.529844046 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:08.530236006 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:08.530258894 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:09.814914942 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:09.814997911 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:09.816360950 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:09.816375017 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:09.816575050 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:09.817852974 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:09.817953110 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:09.817959070 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:10.600682974 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:10.600754023 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:10.600831032 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:10.601025105 CET | 49713 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:10.601036072 CET | 443 | 49713 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:11.568279982 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:11.568352938 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:11.568448067 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:11.568856001 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:11.568887949 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.803064108 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.803297043 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.804594040 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.804620028 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.804830074 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.808577061 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.809343100 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.809386015 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.809528112 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.809568882 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.810400963 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.810448885 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.811491013 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.811543941 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.812766075 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.812815905 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.813005924 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.813040972 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.813071966 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.813093901 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.813186884 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.813220978 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.813266039 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.813534975 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.813580036 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.855348110 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.855561972 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.855601072 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.855634928 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.855669022 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:12.855740070 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:12.855773926 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:15.153389931 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:15.153631926 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:15.153736115 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:15.153846979 CET | 49714 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:15.153901100 CET | 443 | 49714 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:15.191458941 CET | 49720 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:15.191483021 CET | 443 | 49720 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:15.191560984 CET | 49720 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:15.191941023 CET | 49720 | 443 | 192.168.2.5 | 104.21.30.13 |
| Dec 27, 2024 23:15:15.191951036 CET | 443 | 49720 | 104.21.30.13 | 192.168.2.5 |
| Dec 27, 2024 23:15:15.432370901 CET | 49720 | 443 | 192.168.2.5 | 104.21.30.13 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 23:14:55.472760916 CET | 58235 | 53 | 192.168.2.5 | 1.1.1.1 |
| Dec 27, 2024 23:14:55.805047989 CET | 53 | 58235 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 27, 2024 23:14:55.472760916 CET | 192.168.2.5 | 1.1.1.1 | 0x6d9a | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 27, 2024 23:14:55.805047989 CET | 1.1.1.1 | 192.168.2.5 | 0x6d9a | No error (0) | 104.21.30.13 | A (IP address) | IN (0x0001) | false | ||
| Dec 27, 2024 23:14:55.805047989 CET | 1.1.1.1 | 192.168.2.5 | 0x6d9a | No error (0) | 172.67.150.49 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49708 | 104.21.30.13 | 443 | 6152 | C:\Users\user\Desktop\WonderHack.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:14:57 UTC | 265 | OUT | |
| 2024-12-27 22:14:57 UTC | 8 | OUT | |
| 2024-12-27 22:14:57 UTC | 1127 | IN | |
| 2024-12-27 22:14:57 UTC | 7 | IN | |
| 2024-12-27 22:14:57 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49709 | 104.21.30.13 | 443 | 6152 | C:\Users\user\Desktop\WonderHack.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:14:59 UTC | 266 | OUT | |
| 2024-12-27 22:14:59 UTC | 54 | OUT | |
| 2024-12-27 22:15:00 UTC | 1129 | IN | |
| 2024-12-27 22:15:00 UTC | 240 | IN | |
| 2024-12-27 22:15:00 UTC | 1369 | IN | |
| 2024-12-27 22:15:00 UTC | 1369 | IN | |
| 2024-12-27 22:15:00 UTC | 1369 | IN | |
| 2024-12-27 22:15:00 UTC | 1369 | IN | |
| 2024-12-27 22:15:00 UTC | 1369 | IN | |
| 2024-12-27 22:15:00 UTC | 1369 | IN | |
| 2024-12-27 22:15:00 UTC | 1369 | IN | |
| 2024-12-27 22:15:00 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49710 | 104.21.30.13 | 443 | 6152 | C:\Users\user\Desktop\WonderHack.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:15:01 UTC | 278 | OUT | |
| 2024-12-27 22:15:01 UTC | 12806 | OUT | |
| 2024-12-27 22:15:02 UTC | 1142 | IN | |
| 2024-12-27 22:15:02 UTC | 20 | IN | |
| 2024-12-27 22:15:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49711 | 104.21.30.13 | 443 | 6152 | C:\Users\user\Desktop\WonderHack.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:15:04 UTC | 277 | OUT | |
| 2024-12-27 22:15:04 UTC | 15042 | OUT | |
| 2024-12-27 22:15:05 UTC | 1133 | IN | |
| 2024-12-27 22:15:05 UTC | 20 | IN | |
| 2024-12-27 22:15:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49712 | 104.21.30.13 | 443 | 6152 | C:\Users\user\Desktop\WonderHack.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:15:07 UTC | 281 | OUT | |
| 2024-12-27 22:15:07 UTC | 15331 | OUT | |
| 2024-12-27 22:15:07 UTC | 5225 | OUT | |
| 2024-12-27 22:15:08 UTC | 1136 | IN | |
| 2024-12-27 22:15:08 UTC | 20 | IN | |
| 2024-12-27 22:15:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49713 | 104.21.30.13 | 443 | 6152 | C:\Users\user\Desktop\WonderHack.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:15:09 UTC | 276 | OUT | |
| 2024-12-27 22:15:09 UTC | 1217 | OUT | |
| 2024-12-27 22:15:10 UTC | 1132 | IN | |
| 2024-12-27 22:15:10 UTC | 20 | IN | |
| 2024-12-27 22:15:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49714 | 104.21.30.13 | 443 | 6152 | C:\Users\user\Desktop\WonderHack.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:15:12 UTC | 286 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:12 UTC | 15331 | OUT | |
| 2024-12-27 22:15:15 UTC | 1137 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:14:53 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\WonderHack.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 561'192 bytes |
| MD5 hash: | 83614DC842994C0ADABD914B7273D6CC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 17:14:53 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 17:14:54 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\WonderHack.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x190000 |
| File size: | 561'192 bytes |
| MD5 hash: | 83614DC842994C0ADABD914B7273D6CC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 6.4% |
| Dynamic/Decrypted Code Coverage: | 1% |
| Signature Coverage: | 3.6% |
| Total number of Nodes: | 839 |
| Total number of Limit Nodes: | 12 |
Graph
Function 001CA19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00191FB0 Relevance: 9.2, APIs: 6, Instructions: 200fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00191000 Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001924B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001ACF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A5349 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A54EE Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001990F0 Relevance: 3.1, APIs: 2, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001ADA52 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00191EF0 Relevance: 3.1, APIs: 2, Instructions: 60memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A5470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00192270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001ABED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019DEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019CB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019B060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019CB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00197770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001ABF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001998F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A9CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019F555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1F38 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A3FB2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019F8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AD8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AEE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A0080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00199B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AB56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A55C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AD6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00193C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B6940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00197220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00194460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A2BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B31BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A04F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B0976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AB992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00193E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AB1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00192610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 44.4% |
| Total number of Nodes: | 261 |
| Total number of Limit Nodes: | 19 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436BF0 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 718memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408720 Relevance: 7.7, APIs: 5, Instructions: 235threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BAD0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DAA0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C59C Relevance: 1.3, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426230 Relevance: .4, Instructions: 389COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DBB0 Relevance: .3, Instructions: 269COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004192C0 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EEC0 Relevance: .1, Instructions: 141COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA8B Relevance: 1.6, APIs: 1, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA89 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA45 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435BDB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BA70 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FB06 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430779 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BC91 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C900 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C935 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A0A0 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A080 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423FF1 Relevance: 14.9, Strings: 11, Instructions: 1151COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004226D3 Relevance: 9.5, Strings: 7, Instructions: 769COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00191FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418095 Relevance: 7.6, Strings: 5, Instructions: 1319COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A9CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004259B0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C894 Relevance: 5.3, Strings: 4, Instructions: 308COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A800 Relevance: 4.4, Strings: 3, Instructions: 638COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C984 Relevance: 4.1, Strings: 3, Instructions: 301COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C9E9 Relevance: 4.0, Strings: 3, Instructions: 300COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C9DA Relevance: 4.0, Strings: 3, Instructions: 274COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041720B Relevance: 3.4, Strings: 2, Instructions: 890COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CC60 Relevance: 3.0, Strings: 2, Instructions: 493COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AD81 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D172 Relevance: 2.7, Strings: 2, Instructions: 241COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D189 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004290B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414A50 Relevance: 2.4, Strings: 1, Instructions: 1153COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004266C0 Relevance: 1.8, Strings: 1, Instructions: 544COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B813 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E8D0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428290 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BC14 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D140 Relevance: .8, Instructions: 757COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407440 Relevance: .7, Instructions: 664COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437790 Relevance: .5, Instructions: 506COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D560 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EDB4 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B078 Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437D00 Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F040 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043B46A Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416D52 Relevance: .1, Instructions: 99COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408A20 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BCDB Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428640 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429DA0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004146C0 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004210F3 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AEE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001924B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001ACF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A0080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00199B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AB56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A55C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AD6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00193C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B6940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00197220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00194460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B1DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A2BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B31BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001A04F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001B0976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AB992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001AB1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0019B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00192610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|