Edit tour
Windows
Analysis Report
Loader.exe
Overview
General Information
| Sample name: | Loader.exe |
| Analysis ID: | 1581511 |
| MD5: | 7773630abc9d30d9e4fb74481736224c |
| SHA1: | 960bcdda71ed3b4bef604dc549cdf4a0f84c4636 |
| SHA256: | 3cac35e6047f481ebf1530b5e63e9ad9846963dea7238351770dd6f21b846711 |
| Tags: | exeLummaStealeruser-ventoy |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Loader.exe (PID: 7332 cmdline: "C:\Users\ user\Deskt op\Loader. exe" MD5: 7773630ABC9D30D9E4FB74481736224C) 
conhost.exe (PID: 7340 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Loader.exe (PID: 7400 cmdline:
"C:\Users\ user\Deskt op\Loader. exe" MD5: 7773630ABC9D30D9E4FB74481736224C) - Loader.exe (PID: 7408 cmdline:
"C:\Users\ user\Deskt op\Loader. exe" MD5: 7773630ABC9D30D9E4FB74481736224C)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["appliacnesot.buzz", "cashfuzysao.buzz", "rebuildeso.buzz", "screwamusresz.buzz", "inherineau.buzz", "undesirabkel.click", "hummskitnj.buzz", "prisonyfork.buzz", "scentniej.buzz"], "Build id": "LPnhqo--yxojbtuqnnxf"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:26:58.822905+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:00.794201+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:03.254522+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:07.941464+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:10.195422+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:12.836751+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:15.839085+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:20.017873+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49741 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:26:59.564081+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:01.586988+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:20.785675+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49741 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:26:59.564081+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:27:01.586988+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:26:58.822905+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:00.794201+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:03.254522+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49732 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:07.941464+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49733 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:10.195422+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49734 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:12.836751+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49735 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:15.839085+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49737 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:20.017873+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49741 | 104.21.30.13 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:26:57.370528+0100 | 2058550 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 64722 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:27:06.637591+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49732 | 104.21.30.13 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_00922560 | |
| Source: | Code function: | 2_2_00922560 | |
| Source: | Code function: | 3_2_00415200 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_009420D9 | |
| Source: | Code function: | 0_2_00942028 | |
| Source: | Code function: | 2_2_009420D9 | |
| Source: | Code function: | 2_2_00942028 | |
| Source: | Code function: | 3_2_00415200 | |
| Source: | Code function: | 3_2_00409370 | |
| Source: | Code function: | 3_2_00409370 | |
| Source: | Code function: | 3_2_0043F39E | |
| Source: | Code function: | 3_2_00440CE0 | |
| Source: | Code function: | 3_2_00439490 | |
| Source: | Code function: | 3_2_00439490 | |
| Source: | Code function: | 3_2_00441DA0 | |
| Source: | Code function: | 3_2_00440E00 | |
| Source: | Code function: | 3_2_004396A0 | |
| Source: | Code function: | 3_2_0040D7CF | |
| Source: | Code function: | 3_2_0041D050 | |
| Source: | Code function: | 3_2_0041780D | |
| Source: | Code function: | 3_2_004410D0 | |
| Source: | Code function: | 3_2_0042788F | |
| Source: | Code function: | 3_2_0041C900 | |
| Source: | Code function: | 3_2_0042B100 | |
| Source: | Code function: | 3_2_00427917 | |
| Source: | Code function: | 3_2_0043A120 | |
| Source: | Code function: | 3_2_0043A120 | |
| Source: | Code function: | 3_2_00405930 | |
| Source: | Code function: | 3_2_00405930 | |
| Source: | Code function: | 3_2_0043A9D6 | |
| Source: | Code function: | 3_2_004409E0 | |
| Source: | Code function: | 3_2_00426190 | |
| Source: | Code function: | 3_2_0043E9B3 | |
| Source: | Code function: | 3_2_00427A3F | |
| Source: | Code function: | 3_2_0041F2C0 | |
| Source: | Code function: | 3_2_004292E0 | |
| Source: | Code function: | 3_2_004402B0 | |
| Source: | Code function: | 3_2_004402B0 | |
| Source: | Code function: | 3_2_00402B70 | |
| Source: | Code function: | 3_2_00436370 | |
| Source: | Code function: | 3_2_00408B00 | |
| Source: | Code function: | 3_2_0042D306 | |
| Source: | Code function: | 3_2_00428307 | |
| Source: | Code function: | 3_2_004393C0 | |
| Source: | Code function: | 3_2_004403D0 | |
| Source: | Code function: | 3_2_004403D0 | |
| Source: | Code function: | 3_2_0042BBE3 | |
| Source: | Code function: | 3_2_0042BC53 | |
| Source: | Code function: | 3_2_0043EC60 | |
| Source: | Code function: | 3_2_00416C77 | |
| Source: | Code function: | 3_2_0042D4D0 | |
| Source: | Code function: | 3_2_00419C90 | |
| Source: | Code function: | 3_2_00419C90 | |
| Source: | Code function: | 3_2_0042D49A | |
| Source: | Code function: | 3_2_004074A0 | |
| Source: | Code function: | 3_2_004074A0 | |
| Source: | Code function: | 3_2_0042BB19 | |
| Source: | Code function: | 3_2_00440550 | |
| Source: | Code function: | 3_2_0041C561 | |
| Source: | Code function: | 3_2_0041C561 | |
| Source: | Code function: | 3_2_0041C561 | |
| Source: | Code function: | 3_2_00426513 | |
| Source: | Code function: | 3_2_00425DEA | |
| Source: | Code function: | 3_2_00425DEA | |
| Source: | Code function: | 3_2_0043A640 | |
| Source: | Code function: | 3_2_0042D64C | |
| Source: | Code function: | 3_2_0043EE50 | |
| Source: | Code function: | 3_2_0042A660 | |
| Source: | Code function: | 3_2_0041966B | |
| Source: | Code function: | 3_2_00425E70 | |
| Source: | Code function: | 3_2_00440600 | |
| Source: | Code function: | 3_2_0040DE13 | |
| Source: | Code function: | 3_2_00417E1A | |
| Source: | Code function: | 3_2_00417E1A | |
| Source: | Code function: | 3_2_00422E3F | |
| Source: | Code function: | 3_2_00422E3F | |
| Source: | Code function: | 3_2_00422E3F | |
| Source: | Code function: | 3_2_00440690 | |
| Source: | Code function: | 3_2_004146A0 | |
| Source: | Code function: | 3_2_004146A0 | |
| Source: | Code function: | 3_2_004146A0 | |
| Source: | Code function: | 3_2_00426EB0 | |
| Source: | Code function: | 3_2_0040A770 | |
| Source: | Code function: | 3_2_00415F19 | |
| Source: | Code function: | 3_2_004227E0 | |
| Source: | Code function: | 3_2_00416790 | |
| Source: | Code function: | 3_2_00416790 | |
| Source: | Code function: | 3_2_0040B79B | |
| Source: | Code function: | 3_2_0041E7A0 | |
| Source: | Code function: | 3_2_0043F7B2 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_00433600 | |
| Source: | Code function: | 3_2_00433600 | |
| Source: | Code function: | 3_2_00433B7A | |
| Source: | Code function: | 0_2_00921000 | |
| Source: | Code function: | 0_2_009340A2 | |
| Source: | Code function: | 0_2_0092F645 | |
| Source: | Code function: | 0_2_00947882 | |
| Source: | Code function: | 0_2_00939DB0 | |
| Source: | Code function: | 0_2_00945D4E | |
| Source: | Code function: | 2_2_009340A2 | |
| Source: | Code function: | 2_2_00921000 | |
| Source: | Code function: | 2_2_0092F645 | |
| Source: | Code function: | 2_2_00947882 | |
| Source: | Code function: | 2_2_00939DB0 | |
| Source: | Code function: | 2_2_00945D4E | |
| Source: | Code function: | 3_2_0042C9D4 | |
| Source: | Code function: | 3_2_00410A57 | |
| Source: | Code function: | 3_2_00415200 | |
| Source: | Code function: | 3_2_00409370 | |
| Source: | Code function: | 3_2_00426B70 | |
| Source: | Code function: | 3_2_00421B10 | |
| Source: | Code function: | 3_2_0043CB20 | |
| Source: | Code function: | 3_2_00423D40 | |
| Source: | Code function: | 3_2_0040CD4E | |
| Source: | Code function: | 3_2_004085F0 | |
| Source: | Code function: | 3_2_00440E00 | |
| Source: | Code function: | 3_2_004396A0 | |
| Source: | Code function: | 3_2_00441700 | |
| Source: | Code function: | 3_2_0040D7CF | |
| Source: | Code function: | 3_2_00408800 | |
| Source: | Code function: | 3_2_0041780D | |
| Source: | Code function: | 3_2_004410D0 | |
| Source: | Code function: | 3_2_0042788F | |
| Source: | Code function: | 3_2_00403900 | |
| Source: | Code function: | 3_2_0041C900 | |
| Source: | Code function: | 3_2_00412100 | |
| Source: | Code function: | 3_2_0043A120 | |
| Source: | Code function: | 3_2_00405930 | |
| Source: | Code function: | 3_2_0043D1C0 | |
| Source: | Code function: | 3_2_004081D0 | |
| Source: | Code function: | 3_2_0043A9D6 | |
| Source: | Code function: | 3_2_004259E4 | |
| Source: | Code function: | 3_2_00433180 | |
| Source: | Code function: | 3_2_00424990 | |
| Source: | Code function: | 3_2_00406240 | |
| Source: | Code function: | 3_2_00431210 | |
| Source: | Code function: | 3_2_0041E220 | |
| Source: | Code function: | 3_2_00427A3F | |
| Source: | Code function: | 3_2_004042B0 | |
| Source: | Code function: | 3_2_004402B0 | |
| Source: | Code function: | 3_2_0041DB40 | |
| Source: | Code function: | 3_2_00422370 | |
| Source: | Code function: | 3_2_00408B00 | |
| Source: | Code function: | 3_2_00424B00 | |
| Source: | Code function: | 3_2_00428307 | |
| Source: | Code function: | 3_2_004403D0 | |
| Source: | Code function: | 3_2_004413E0 | |
| Source: | Code function: | 3_2_00404BF0 | |
| Source: | Code function: | 3_2_0041AB80 | |
| Source: | Code function: | 3_2_00438C5D | |
| Source: | Code function: | 3_2_00416C77 | |
| Source: | Code function: | 3_2_00437C78 | |
| Source: | Code function: | 3_2_0042AC30 | |
| Source: | Code function: | 3_2_0042F4F6 | |
| Source: | Code function: | 3_2_00419C90 | |
| Source: | Code function: | 3_2_00416492 | |
| Source: | Code function: | 3_2_0042CCA2 | |
| Source: | Code function: | 3_2_004074A0 | |
| Source: | Code function: | 3_2_004264B0 | |
| Source: | Code function: | 3_2_00438CB0 | |
| Source: | Code function: | 3_2_0041E540 | |
| Source: | Code function: | 3_2_00440550 | |
| Source: | Code function: | 3_2_0041C561 | |
| Source: | Code function: | 3_2_0042D57F | |
| Source: | Code function: | 3_2_004385C7 | |
| Source: | Code function: | 3_2_00411DC9 | |
| Source: | Code function: | 3_2_00418DE6 | |
| Source: | Code function: | 3_2_0040ADEC | |
| Source: | Code function: | 3_2_004115F1 | |
| Source: | Code function: | 3_2_00420583 | |
| Source: | Code function: | 3_2_0042E64D | |
| Source: | Code function: | 3_2_0041966B | |
| Source: | Code function: | 3_2_00440600 | |
| Source: | Code function: | 3_2_0041DE10 | |
| Source: | Code function: | 3_2_00417E1A | |
| Source: | Code function: | 3_2_00422E3F | |
| Source: | Code function: | 3_2_00402EC0 | |
| Source: | Code function: | 3_2_004066D0 | |
| Source: | Code function: | 3_2_00426ED0 | |
| Source: | Code function: | 3_2_00440690 | |
| Source: | Code function: | 3_2_004146A0 | |
| Source: | Code function: | 3_2_00426EB0 | |
| Source: | Code function: | 3_2_00429740 | |
| Source: | Code function: | 3_2_0040A770 | |
| Source: | Code function: | 3_2_00428770 | |
| Source: | Code function: | 3_2_00438F10 | |
| Source: | Code function: | 3_2_0043D710 | |
| Source: | Code function: | 3_2_00415F19 | |
| Source: | Code function: | 3_2_00436F2C | |
| Source: | Code function: | 3_2_0043A7D0 | |
| Source: | Code function: | 3_2_004227E0 | |
| Source: | Code function: | 3_2_00416FF0 | |
| Source: | Code function: | 3_2_0040C782 | |
| Source: | Code function: | 3_2_0043AF80 | |
| Source: | Code function: | 3_2_00408F90 | |
| Source: | Code function: | 3_2_00416790 | |
| Source: | Code function: | 3_2_00430797 | |
| Source: | Code function: | 3_2_0041E7A0 | |
| Source: | Code function: | 3_2_0043F7B2 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_004396A0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0092FC86 | |
| Source: | Code function: | 2_2_0092FC86 | |
| Source: | Code function: | 3_2_00440245 | |
| Source: | Code function: | 3_2_00446500 | |
| Source: | Code function: | 3_2_00446682 | |
| Source: | Code function: | 3_2_00446682 | |
| Source: | Code function: | 3_2_004307CB | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-21165 | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_009420D9 | |
| Source: | Code function: | 0_2_00942028 | |
| Source: | Code function: | 2_2_009420D9 | |
| Source: | Code function: | 2_2_00942028 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_0043EBA0 | |
| Source: | Code function: | 0_2_0092F9D9 | |
| Source: | Code function: | 0_2_00922060 | |
| Source: | Code function: | 0_2_0095A19E | |
| Source: | Code function: | 2_2_00922060 | |
| Source: | Code function: | 0_2_0093D9D0 | |
| Source: | Code function: | 0_2_0092F61D | |
| Source: | Code function: | 0_2_0092F9D9 | |
| Source: | Code function: | 0_2_0092F9CD | |
| Source: | Code function: | 0_2_00937F20 | |
| Source: | Code function: | 2_2_0092F61D | |
| Source: | Code function: | 2_2_0092F9D9 | |
| Source: | Code function: | 2_2_0092F9CD | |
| Source: | Code function: | 2_2_00937F20 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_0095A19E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0093D2AD | |
| Source: | Code function: | 0_2_00941377 | |
| Source: | Code function: | 0_2_009415C8 | |
| Source: | Code function: | 0_2_00941670 | |
| Source: | Code function: | 0_2_009418C3 | |
| Source: | Code function: | 0_2_00941930 | |
| Source: | Code function: | 0_2_00941AF7 | |
| Source: | Code function: | 0_2_00941A05 | |
| Source: | Code function: | 0_2_00941A50 | |
| Source: | Code function: | 0_2_00941BFD | |
| Source: | Code function: | 0_2_0093CD05 | |
| Source: | Code function: | 2_2_0093D2AD | |
| Source: | Code function: | 2_2_00941377 | |
| Source: | Code function: | 2_2_009415C8 | |
| Source: | Code function: | 2_2_009418C3 | |
| Source: | Code function: | 2_2_00941930 | |
| Source: | Code function: | 2_2_00941AF7 | |
| Source: | Code function: | 2_2_00941A05 | |
| Source: | Code function: | 2_2_00941A50 | |
| Source: | Code function: | 2_2_00941BFD | |
| Source: | Code function: | 2_2_0093CD05 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_009301A4 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 241 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| undesirabkel.click | 104.21.30.13 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.30.13 | undesirabkel.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1581511 |
| Start date and time: | 2024-12-27 23:26:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 48s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Loader.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@6/1@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Loader.exe, PID 7400 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Loader.exe
| Time | Type | Description |
|---|---|---|
| 17:26:58 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.30.13 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| undesirabkel.click | Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\Loader.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 14402 |
| Entropy (8bit): | 4.874636730022465 |
| Encrypted: | false |
| SSDEEP: | 384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo |
| MD5: | DF0EFD0545733561C6E165770FB3661C |
| SHA1: | 0F3AD477176CF235C6C59EE2EB15D81DCB6178A8 |
| SHA-256: | A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17 |
| SHA-512: | 3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.567353425486414 |
| TrID: |
|
| File name: | Loader.exe |
| File size: | 567'296 bytes |
| MD5: | 7773630abc9d30d9e4fb74481736224c |
| SHA1: | 960bcdda71ed3b4bef604dc549cdf4a0f84c4636 |
| SHA256: | 3cac35e6047f481ebf1530b5e63e9ad9846963dea7238351770dd6f21b846711 |
| SHA512: | ee91f6aef70f96c39361c20bbe26b697367941977cfba4f1f1847db7e393a1906f41a5ca26c4af2bed7fc1935062c97f9dc89a8bd8047aad2217439c636cfa28 |
| SSDEEP: | 12288:kiiy2LA/I0xusciua5z2NEpYBRupKm7BfHgq155ppbdGax1Ou75vunMGZa02qRPG:kiiy2LA/I0xusciua5CNEpYBRupKm7Be |
| TLSH: | ECC4D0127281C0B3D96316765C78C7794A3EBC100F616AC797984BBEDEB06D19F30A6E |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....[mg..........................................@.......................................@..................................j..<.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x410590 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x676D5BDA [Thu Dec 26 13:36:26 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 35f2e35a9ab5b63b150853141ee62e01 |
| Instruction |
|---|
| call 00007F929CE6E1FAh |
| jmp 00007F929CE6E05Dh |
| mov ecx, dword ptr [0043B680h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F929CE6E1F6h |
| test esi, ecx |
| jne 00007F929CE6E218h |
| call 00007F929CE6E221h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F929CE6E1F9h |
| mov ecx, BB40E64Fh |
| jmp 00007F929CE6E200h |
| test esi, ecx |
| jne 00007F929CE6E1FCh |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [0043B680h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [0043B6C0h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [00436D0Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00436CC4h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [00436CC0h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [00436D5Ch] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 0043CF48h |
| call dword ptr [00436D34h] |
| ret |
| push 00030000h |
| push 00010000h |
| push 00000000h |
| call 00007F929CE74FD3h |
| add esp, 0Ch |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x36a8c | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x8f000 | 0x3fc | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3f000 | 0x2758 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x32618 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2eaa8 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x36c4c | 0x184 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2b5ba | 0x2b600 | 8e72f979a692e30591852f96987fd08f | False | 0.5447136167146974 | data | 6.592696701047982 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2d000 | 0xc564 | 0xc600 | d34fae497fb62cbb1bc8f3b2d6d79c25 | False | 0.4033696338383838 | data | 4.744194731846056 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3a000 | 0x3714 | 0x2800 | f57039ea5e709bc930aadb529c6e1a9d | False | 0.29794921875 | data | 5.024446305521937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x3e000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x3f000 | 0x2758 | 0x2800 | 26cb1ac5cc2461d1d4d4b059e129fd1f | False | 0.751953125 | data | 6.531626083298937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .bss | 0x42000 | 0x4d000 | 0x4d000 | 183f98511ebb2d7ebd985f00b0c819db | False | 1.0003360896915585 | data | 7.9994026084018195 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x8f000 | 0x3fc | 0x400 | 6d588082959117d83b5b94b45915208a | False | 0.4423828125 | data | 3.391431520369637 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x8f058 | 0x3a4 | data | English | United States | 0.44849785407725323 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| ADVAPI32.dll | CryptDestroyKey, CryptEncrypt |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-27T23:26:57.370528+0100 | 2058550 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click) | 1 | 192.168.2.4 | 64722 | 1.1.1.1 | 53 | UDP |
| 2024-12-27T23:26:58.822905+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:26:58.822905+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:26:59.564081+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:26:59.564081+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:00.794201+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:00.794201+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:01.586988+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:01.586988+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:03.254522+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49732 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:03.254522+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:06.637591+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49732 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:07.941464+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49733 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:07.941464+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:10.195422+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49734 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:10.195422+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:12.836751+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49735 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:12.836751+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:15.839085+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49737 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:15.839085+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49737 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:20.017873+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49741 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:20.017873+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49741 | 104.21.30.13 | 443 | TCP |
| 2024-12-27T23:27:20.785675+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49741 | 104.21.30.13 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 23:26:57.597110987 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:57.597134113 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:57.597239971 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:57.600778103 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:57.600790024 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:58.822835922 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:58.822905064 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:58.833307981 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:58.833321095 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:58.833606958 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:58.883348942 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:58.892082930 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:58.892117977 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:58.892184973 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:59.564101934 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:59.564207077 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:59.564265013 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:59.569823980 CET | 49730 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:59.569834948 CET | 443 | 49730 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:59.579668045 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:59.579725027 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:26:59.579813957 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:59.580122948 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:26:59.580138922 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:00.794121027 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:00.794200897 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:00.795536995 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:00.795547009 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:00.795753956 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:00.797404051 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:00.797437906 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:00.797466993 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.586996078 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.587052107 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.587101936 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.587124109 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.587172985 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.587205887 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.587220907 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.587228060 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.587268114 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.587275028 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.603333950 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.603404999 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.603411913 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.611558914 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.611630917 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.611637115 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.664721012 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.706607103 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.758501053 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.758507967 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.782675982 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.782711983 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.782742977 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.782749891 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.782793999 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.782802105 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.782812119 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.782869101 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.783133030 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.783140898 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:01.783153057 CET | 49731 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:01.783158064 CET | 443 | 49731 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:02.036906004 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:02.036955118 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:02.037029028 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:02.037395000 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:02.037411928 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:03.254448891 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:03.254522085 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:03.255753040 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:03.255767107 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:03.255992889 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:03.257086039 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:03.257216930 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:03.257246971 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:03.257313013 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:03.257319927 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:06.637599945 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:06.637737989 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:06.637836933 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:06.638031960 CET | 49732 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:06.638045073 CET | 443 | 49732 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:06.724975109 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:06.725004911 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:06.725083113 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:06.725406885 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:06.725419044 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:07.941350937 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:07.941463947 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:07.943099976 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:07.943109989 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:07.944092989 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:07.945746899 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:07.945877075 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:07.945911884 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:08.743118048 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:08.743235111 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:08.743280888 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:08.744271994 CET | 49733 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:08.744291067 CET | 443 | 49733 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:08.935646057 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:08.935681105 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:08.935753107 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:08.936083078 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:08.936098099 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:10.195358038 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:10.195421934 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:10.197468996 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:10.197479963 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:10.197710037 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:10.198728085 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:10.198918104 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:10.198951960 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:10.199007034 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:10.199016094 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:11.175981998 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:11.176088095 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:11.176137924 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:11.176238060 CET | 49734 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:11.176254988 CET | 443 | 49734 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:11.622534990 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:11.622595072 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:11.622670889 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:11.622975111 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:11.622988939 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:12.836654902 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:12.836750984 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:13.009571075 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:13.009605885 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:13.009979963 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:13.011249065 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:13.011519909 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:13.011526108 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:13.770487070 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:13.770585060 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:13.770641088 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:13.770837069 CET | 49735 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:13.770853043 CET | 443 | 49735 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:14.244735003 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:14.244776964 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:14.244908094 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:14.245260000 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:14.245274067 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.838982105 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.839085102 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.840667963 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.840677977 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.840996981 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.849910021 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.850821018 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.850862980 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.850958109 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.850991964 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.851110935 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.851170063 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.851294994 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.851326942 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.851475954 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.851505041 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.851660013 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.851690054 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.851718903 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.851865053 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.851901054 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.899322033 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.899532080 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.899589062 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.899605989 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.947330952 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.947540045 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.947598934 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.947633028 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:15.995332003 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:15.995485067 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:16.039331913 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:16.316534042 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:18.727063894 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:18.727188110 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:18.727245092 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:18.727444887 CET | 49737 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:18.727461100 CET | 443 | 49737 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:18.801692963 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:18.801723003 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:18.801800966 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:18.802165031 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:18.802177906 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:20.017796993 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:20.017873049 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:20.021262884 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:20.021279097 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:20.021631002 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:20.031089067 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:20.031117916 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:20.031179905 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:20.785696983 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:20.785825014 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:20.785897970 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:20.786079884 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:20.786103010 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Dec 27, 2024 23:27:20.786117077 CET | 49741 | 443 | 192.168.2.4 | 104.21.30.13 |
| Dec 27, 2024 23:27:20.786124945 CET | 443 | 49741 | 104.21.30.13 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 27, 2024 23:26:57.370527983 CET | 64722 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 27, 2024 23:26:57.587225914 CET | 53 | 64722 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 27, 2024 23:26:57.370527983 CET | 192.168.2.4 | 1.1.1.1 | 0x9f8a | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 27, 2024 23:26:57.587225914 CET | 1.1.1.1 | 192.168.2.4 | 0x9f8a | No error (0) | 104.21.30.13 | A (IP address) | IN (0x0001) | false | ||
| Dec 27, 2024 23:26:57.587225914 CET | 1.1.1.1 | 192.168.2.4 | 0x9f8a | No error (0) | 172.67.150.49 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.21.30.13 | 443 | 7408 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:26:58 UTC | 265 | OUT | |
| 2024-12-27 22:26:58 UTC | 8 | OUT | |
| 2024-12-27 22:26:59 UTC | 1129 | IN | |
| 2024-12-27 22:26:59 UTC | 7 | IN | |
| 2024-12-27 22:26:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 104.21.30.13 | 443 | 7408 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:27:00 UTC | 266 | OUT | |
| 2024-12-27 22:27:00 UTC | 54 | OUT | |
| 2024-12-27 22:27:01 UTC | 1125 | IN | |
| 2024-12-27 22:27:01 UTC | 244 | IN | |
| 2024-12-27 22:27:01 UTC | 1369 | IN | |
| 2024-12-27 22:27:01 UTC | 1369 | IN | |
| 2024-12-27 22:27:01 UTC | 1369 | IN | |
| 2024-12-27 22:27:01 UTC | 1369 | IN | |
| 2024-12-27 22:27:01 UTC | 1369 | IN | |
| 2024-12-27 22:27:01 UTC | 1369 | IN | |
| 2024-12-27 22:27:01 UTC | 1369 | IN | |
| 2024-12-27 22:27:01 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 104.21.30.13 | 443 | 7408 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:27:03 UTC | 276 | OUT | |
| 2024-12-27 22:27:03 UTC | 15331 | OUT | |
| 2024-12-27 22:27:03 UTC | 2791 | OUT | |
| 2024-12-27 22:27:06 UTC | 1130 | IN | |
| 2024-12-27 22:27:06 UTC | 20 | IN | |
| 2024-12-27 22:27:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 104.21.30.13 | 443 | 7408 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:27:07 UTC | 284 | OUT | |
| 2024-12-27 22:27:07 UTC | 8797 | OUT | |
| 2024-12-27 22:27:08 UTC | 1129 | IN | |
| 2024-12-27 22:27:08 UTC | 20 | IN | |
| 2024-12-27 22:27:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 104.21.30.13 | 443 | 7408 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:27:10 UTC | 277 | OUT | |
| 2024-12-27 22:27:10 UTC | 15331 | OUT | |
| 2024-12-27 22:27:10 UTC | 5071 | OUT | |
| 2024-12-27 22:27:11 UTC | 1143 | IN | |
| 2024-12-27 22:27:11 UTC | 20 | IN | |
| 2024-12-27 22:27:11 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 104.21.30.13 | 443 | 7408 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:27:13 UTC | 280 | OUT | |
| 2024-12-27 22:27:13 UTC | 1236 | OUT | |
| 2024-12-27 22:27:13 UTC | 1138 | IN | |
| 2024-12-27 22:27:13 UTC | 20 | IN | |
| 2024-12-27 22:27:13 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49737 | 104.21.30.13 | 443 | 7408 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:27:15 UTC | 280 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:15 UTC | 15331 | OUT | |
| 2024-12-27 22:27:18 UTC | 1135 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49741 | 104.21.30.13 | 443 | 7408 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-27 22:27:20 UTC | 266 | OUT | |
| 2024-12-27 22:27:20 UTC | 89 | OUT | |
| 2024-12-27 22:27:20 UTC | 1125 | IN | |
| 2024-12-27 22:27:20 UTC | 54 | IN | |
| 2024-12-27 22:27:20 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:26:54 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\Loader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x920000 |
| File size: | 567'296 bytes |
| MD5 hash: | 7773630ABC9D30D9E4FB74481736224C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 17:26:54 |
| Start date: | 27/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 17:26:55 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\Loader.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x920000 |
| File size: | 567'296 bytes |
| MD5 hash: | 7773630ABC9D30D9E4FB74481736224C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 17:26:55 |
| Start date: | 27/12/2024 |
| Path: | C:\Users\user\Desktop\Loader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x920000 |
| File size: | 567'296 bytes |
| MD5 hash: | 7773630ABC9D30D9E4FB74481736224C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 6.5% |
| Dynamic/Decrypted Code Coverage: | 1.1% |
| Signature Coverage: | 5.3% |
| Total number of Nodes: | 804 |
| Total number of Limit Nodes: | 23 |
Graph
Function 0095A19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00922560 Relevance: 10.6, APIs: 7, Instructions: 82encryptionthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00922060 Relevance: 9.2, APIs: 6, Instructions: 200fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00921000 Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093CFFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00935439 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009355DE Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00929290 Relevance: 3.1, APIs: 2, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093DB42 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00921FA0 Relevance: 3.1, APIs: 2, Instructions: 60memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00935560 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00922320 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093BFC7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092DFE0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092CC30 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092B200 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092CC22 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00927910 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093C001 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00929A90 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00941AF7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00939DB0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009420D9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092F9D9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00941670 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092F645 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00942028 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00941930 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009340A2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00941A50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00941BFD Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092F9CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093D9D0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092FF19 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093EF66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00930170 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00929CD0 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093B65E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009356B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093D7DA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092F0E1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00923E10 Relevance: 7.6, APIs: 5, Instructions: 111COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092D5B2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00946A30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009273C0 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00924600 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00941EB6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00932C92 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009432AE Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092E982 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009305E5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00940A66 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093BA82 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00924030 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093B2EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009227F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00922560 Relevance: 10.6, APIs: 7, Instructions: 82encryptionthreadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00922060 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00941377 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00939DB0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009420D9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092F9D9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0094ABD2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092FF19 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093EF66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00930170 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00945071 Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00929CD0 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093ADD7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009356B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093D7DA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092F0E1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00923E10 Relevance: 7.6, APIs: 5, Instructions: 111COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092D5B2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092AF77 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00946A30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0094408E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0093B385 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009273C0 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00924600 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00941EB6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00932C92 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009432AE Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0092E982 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0094AE90 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 9.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 41.8% |
| Total number of Nodes: | 220 |
| Total number of Limit Nodes: | 14 |
Graph
Function 004396A0 Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 644memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004085F0 Relevance: 7.7, APIs: 5, Instructions: 170threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409370 Relevance: 5.4, Strings: 4, Instructions: 371COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410A57 Relevance: 2.4, APIs: 1, Instructions: 885COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EBA0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F39E Relevance: 1.4, Strings: 1, Instructions: 190COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441DA0 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440CE0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440E00 Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439490 Relevance: .2, Instructions: 197COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00437426 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043ECE8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431FE2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430412 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C73B Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043ED29 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CAF2 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CAC0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422E3F Relevance: 11.2, Strings: 8, Instructions: 1220COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041780D Relevance: 7.9, Strings: 6, Instructions: 427COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A770 Relevance: 7.9, Strings: 6, Instructions: 400COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426190 Relevance: 6.5, Strings: 5, Instructions: 244COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415F19 Relevance: 5.3, Strings: 4, Instructions: 336COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426EB0 Relevance: 5.3, Strings: 4, Instructions: 281COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416790 Relevance: 5.2, Strings: 4, Instructions: 248COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E7A0 Relevance: 4.7, Strings: 3, Instructions: 938COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A120 Relevance: 4.2, Strings: 3, Instructions: 478COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D306 Relevance: 4.0, Strings: 3, Instructions: 249COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D4D0 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D49A Relevance: 4.0, Strings: 3, Instructions: 218COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D64C Relevance: 4.0, Strings: 3, Instructions: 217COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BBE3 Relevance: 3.9, Strings: 3, Instructions: 198COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BC53 Relevance: 3.9, Strings: 3, Instructions: 177COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BB19 Relevance: 3.9, Strings: 3, Instructions: 137COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427917 Relevance: 3.8, Strings: 3, Instructions: 30COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042788F Relevance: 3.7, APIs: 2, Instructions: 692COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427A3F Relevance: 3.7, APIs: 2, Instructions: 668COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004146A0 Relevance: 3.5, Strings: 2, Instructions: 1049COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C900 Relevance: 3.1, Strings: 2, Instructions: 645COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004227E0 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041966B Relevance: 2.8, Strings: 2, Instructions: 250COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416C77 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EE50 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004402B0 Relevance: 2.0, Strings: 1, Instructions: 703COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004403D0 Relevance: 1.8, Strings: 1, Instructions: 594COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440550 Relevance: 1.7, Strings: 1, Instructions: 478COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440690 Relevance: 1.7, Strings: 1, Instructions: 442COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440600 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C561 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B100 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E9B3 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426513 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004074A0 Relevance: .6, Instructions: 611COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D050 Relevance: .5, Instructions: 471COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A9D6 Relevance: .5, Instructions: 464COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405930 Relevance: .4, Instructions: 448COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428307 Relevance: .4, Instructions: 350COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004410D0 Relevance: .3, Instructions: 269COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004409E0 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F2C0 Relevance: .2, Instructions: 204COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A640 Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408B00 Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F7B2 Relevance: .1, Instructions: 138COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DE13 Relevance: .1, Instructions: 119COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004292E0 Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004393C0 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436370 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A660 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402B70 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425E70 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425DEA Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EC60 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B79B Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|