Edit tour
Windows
Analysis Report
AquaPac.exe
Overview
General Information
| Sample name: | AquaPac.exe |
| Analysis ID: | 1582080 |
| MD5: | 609acb4f45e7e7692dfedaee6c2854ad |
| SHA1: | cd297298395ceb03f27c4f38e6e99c0deb6df88c |
| SHA256: | e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3 |
| Tags: | exeuser-JaffaCakes118 |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Detected potential unwanted application
Drops PE files with a suspicious file extension
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
AquaPac.exe (PID: 6720 cmdline: "C:\Users\ user\Deskt op\AquaPac .exe" MD5: 609ACB4F45E7E7692DFEDAEE6C2854AD) 
cmd.exe (PID: 5880 cmdline: "C:\Window s\System32 \cmd.exe" /c move Bo ats Boats. cmd & Boat s.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 2020 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 4144 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 7112 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6332 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 3572 cmdline:
cmd /c md 573646 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - extrac32.exe (PID: 3160 cmdline:
extrac32 / Y /E Mista kes MD5: 9472AAB6390E4F1431BAA912FCFF9707) - findstr.exe (PID: 6480 cmdline:
findstr /V "Married" Close MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 6484 cmdline:
cmd /c cop y /b 57364 6\Accident s.com + Kb + Term + Stadium + Rh + Katie + Doubt + Prefers + Virginia + Nepal + Collectabl es + Effic iently 573 646\Accide nts.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 6640 cmdline:
cmd /c cop y /b ..\Fp + ..\Clev eland + .. \Hey + ..\ Commission er + ..\Sh ipped + .. \Trucks f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Accidents.com (PID: 5508 cmdline: Accidents. com f MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 5736 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
HIPS / PFW / Operating System Protection Evasion |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-29T23:45:16.311409+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49712 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:17.251278+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49718 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:18.329669+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49725 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:19.509284+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49735 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:20.530019+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49741 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:21.665381+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49751 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:23.199330+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49762 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:25.278782+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49778 | 172.67.205.168 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-29T23:45:16.773394+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49712 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:17.722215+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49718 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:25.765451+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49778 | 172.67.205.168 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-29T23:45:16.773394+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49712 | 172.67.205.168 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-29T23:45:17.722215+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49718 | 172.67.205.168 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-29T23:45:18.891378+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49725 | 172.67.205.168 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004050CD | |
| Source: | Code function: | 0_2_004044A5 | |
System Summary | |
|---|
| Source: | PE Siganture Subject Chain: | ||
| Source: | Code function: | 0_2_00403883 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040497C | |
| Source: | Code function: | 0_2_00406ED2 | |
| Source: | Code function: | 0_2_004074BB | |
| Source: | Dropped File: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004044A5 | |
| Source: | Code function: | 0_2_004024FB | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004062FC | |
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_004062FC | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406805 | |
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 12 Process Injection | 111 Masquerading | 2 OS Credential Dumping | 211 Security Software Discovery | Remote Services | 11 Input Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 11 Input Capture | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | 31 Data from Local System | 13 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | 1 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 13 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 24 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 5% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| applesactti.click | 172.67.205.168 | true | true | unknown | |
| kvoOGmFSFAudheChUK.kvoOGmFSFAudheChUK | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.205.168 | applesactti.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1582080 |
| Start date and time: | 2024-12-29 23:44:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 23s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | AquaPac.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@26/23@2/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: AquaPac.exe
| Time | Type | Description |
|---|---|---|
| 17:44:55 | API Interceptor | |
| 17:45:00 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Python Stealer, Creal Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Nitol, Zegost | Browse |
| ||
| Get hash | malicious | Nitol, Zegost | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com | Get hash | malicious | Remcos | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 947288 |
| Entropy (8bit): | 6.630612696399572 |
| Encrypted: | false |
| SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
| MD5: | 62D09F076E6E0240548C2F837536A46A |
| SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
| SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
| SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 506244 |
| Entropy (8bit): | 7.999662407338948 |
| Encrypted: | true |
| SSDEEP: | 12288:IZ0nH3etp5SIhntr3/D1bcibscoMPWB1URYQX3:6+3Cp5SI1tb1dmGWIR9X3 |
| MD5: | 7FDAF8100E377300A67C112F8A5E180F |
| SHA1: | 20ECDCCECA68E6B515879C1006F7927BBFBF1D72 |
| SHA-256: | 62C0615FAE70BE0002139CC66DB8FC9B48FCA03935B4A04BA797010D3313B9DB |
| SHA-512: | B075F8EA9F7693692F82B46A23B6D9775013E8B37CE3A35D0E55BD3CF3F9CB770F0253BC327DC7E68E6FA1EB340ED58FDDE88C14A6E1CFF5FC1FC8EFA8957F40 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\AquaPac.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 22288 |
| Entropy (8bit): | 5.121945885870324 |
| Encrypted: | false |
| SSDEEP: | 384:IWM4iexrLTKZie9PSoXa3x59ekSa1UwbUHzJMmYnNCt2tBST5Jv:IF4iexrLGZie9PSoK3xPekSDRtM5JST7 |
| MD5: | E16CC9E45B0287EC95A0DFE8F0817E87 |
| SHA1: | 7D11569C6B8E7D3DE687FC88185E3C218FB82792 |
| SHA-256: | 741E3DCC5B789BE04DF3DA5C2D9522B52A287454A6D079EB03A3AF342D14432C |
| SHA-512: | 06654A1D0DDC2F1E6EB3F180CEB275B67EC2AC9AE9578124E1523A36FAD9973AD9678EAF93DC4E5B3B2367357E12984B6294CA06DA3A60D2F75EC31A598B7B3F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 22288 |
| Entropy (8bit): | 5.121945885870324 |
| Encrypted: | false |
| SSDEEP: | 384:IWM4iexrLTKZie9PSoXa3x59ekSa1UwbUHzJMmYnNCt2tBST5Jv:IF4iexrLGZie9PSoK3xPekSDRtM5JST7 |
| MD5: | E16CC9E45B0287EC95A0DFE8F0817E87 |
| SHA1: | 7D11569C6B8E7D3DE687FC88185E3C218FB82792 |
| SHA-256: | 741E3DCC5B789BE04DF3DA5C2D9522B52A287454A6D079EB03A3AF342D14432C |
| SHA-512: | 06654A1D0DDC2F1E6EB3F180CEB275B67EC2AC9AE9578124E1523A36FAD9973AD9678EAF93DC4E5B3B2367357E12984B6294CA06DA3A60D2F75EC31A598B7B3F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\AquaPac.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 84992 |
| Entropy (8bit): | 7.997840350418743 |
| Encrypted: | true |
| SSDEEP: | 1536:vEtqJBhB96gaD3qFwZAN1s5pq6LqZQTgnvTDzMMrr4QDL67:4qJN1auDmvU+gLDYMrr4QA |
| MD5: | 648E78E3CEFC7321A7BB3AB56DD6215C |
| SHA1: | F91718BAF226EDD5F19AF34BBAC990ED4CFB5182 |
| SHA-256: | 463BC8676255E5458D0830EC6FED19DCCD48296ED702028D3ECC807470A8FB7E |
| SHA-512: | 36AB654C3C943E6416A709C0585367CA932A0EA7D5982F988E58EAAE3775EE1F0FBFB7AC82ACD4EC92443A169D4D3D7E7603E90A30F0526FCD44537D31A6BB14 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2244 |
| Entropy (8bit): | 5.202731741418251 |
| Encrypted: | false |
| SSDEEP: | 48:l9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLu:nSEA5O5W+MfH5S1Cqlu |
| MD5: | D4167DBC80914F9F6D46183D51781900 |
| SHA1: | 19953BB846AEE1ED290AD0B7606948DBBD309C11 |
| SHA-256: | 1E92A1904A69A1F2A2875F6C63D88C9320BE8038516DC256D642C3B94B0CFA21 |
| SHA-512: | F1B481AA1C67B35A2AC78B139791F0449E813812C0CDF4B9360B19D8E542F900FD8B5E0AA036EF8387FF8ACD5862E8C95AF686E2BFAAE41A8466E47762F2B112 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 152576 |
| Entropy (8bit): | 5.852331238106684 |
| Encrypted: | false |
| SSDEEP: | 3072:N6whxjgarB/5elDWy4ZNoGmROL7F1G7ho2+:N6ggarZ8aBZ2GmRq76t+ |
| MD5: | 528E4EB9DDD26EB5974AD2AD0889A609 |
| SHA1: | E139CEFD6AD0DCDB5153378A8B523172FC3D2773 |
| SHA-256: | D3616DBEF31B4EF4FEB98F515B5691993C9C8EDE366015F54404251A69C6BD54 |
| SHA-512: | 9C01C4FD97B7D6232CC2677A2AA9C2BE2A1F1569A08B91566EAA5F69BB00233FEC5122F8B83BB038F542DDBB8290C974649C94EA86699E6C9010EA0178E8ED1B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\AquaPac.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 72704 |
| Entropy (8bit): | 7.997943499713317 |
| Encrypted: | true |
| SSDEEP: | 1536:Ik5pTV2aWs6HFkVxC6ZgsyLJqaMyxYyt93oxF4IBZ95caZA:IWPthvCSQJq2eytZoNBNca2 |
| MD5: | B56D5438B2CD2D92937C55D19846AB7D |
| SHA1: | BDBF992B214E27F7509514A48C3B3A3E02044957 |
| SHA-256: | F7D1D40F30AE128D0CDB593F5ABA8F4A43DB3FFF79D91D627428E324864D2430 |
| SHA-512: | E26EF1702D6348BE6AEE6BA40617FB489F58DFCFF4AA6474A4669D643F55A08B9316E6917F6EAC724B57CD56CB2F71084817C290127DCDF84A98D1F6025815BE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 129024 |
| Entropy (8bit): | 6.583935569084101 |
| Encrypted: | false |
| SSDEEP: | 3072:nt8T6pUkBJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoion:n6AUkB0CThp6vmVnjphfhnvn |
| MD5: | A89E447B4BD303865F1D1AACFD90091F |
| SHA1: | 020146542E22FBF616AB7A39441432221809F97D |
| SHA-256: | 0A90FD52E5B92114F67C5D9C12414CBE8A438EF4B2F047E831D0FC5667AE0368 |
| SHA-512: | 33C680DE6951526869C3B58B28B97596465C0C06E9A1BC1BABCCBD13673E9987ED7C151F1BBD2CAD2F310E8C489F8C687C73077C9D107B73457BA415477BC71B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 7067 |
| Entropy (8bit): | 7.602820449916964 |
| Encrypted: | false |
| SSDEEP: | 192:UN8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:tVEVFJ8ZcGwGBk7/UMQ3rw |
| MD5: | 93C1A13C474BCCB6AE2ADE9784F2A737 |
| SHA1: | 7B5AD30789447F55B00361FB8FDC62A9C45F0B4D |
| SHA-256: | 19876065B1759982937B744C324CD1DD5B20B8DBD140A85EADE08BCF3ADE9915 |
| SHA-512: | 02F91645AE40FA70A4BDC8AF269FED369483E6B4A737990B0E5B1F93CEF36265574A14855792C4C91DF7A1973EBD84CC8BC3ABBE389CE5C7095AF16FC785C798 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\AquaPac.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 99328 |
| Entropy (8bit): | 7.997945651352295 |
| Encrypted: | true |
| SSDEEP: | 1536:HgkWoClvbT/A1Tr12q74ibWu7PN/LerM7sEVm1UOzwzU7tclQwk24f:Hgk8lvbTcAq74cWu7tF7lVmsMtcydf |
| MD5: | CBDA6368CA1E35C82635A2B323947B28 |
| SHA1: | 4BC9C8138A93E7B8D744BCBE10C513CB4EFC6C9D |
| SHA-256: | 0552A05AC9243AC61D2F07F923685D71123E640CB220CBD92256F95C0DBD9F32 |
| SHA-512: | A51EB20A576961B2CE960D8B55454F98FBD44E2184476552CE80615800751FE5632D79CAD7E14445A5BA0D9C7D031E6EA0B7A8FFC6C01290518659351AE95F45 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\AquaPac.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 88064 |
| Entropy (8bit): | 7.997701874239064 |
| Encrypted: | true |
| SSDEEP: | 1536:vLNNjT+FT+x8J/0kEw+5Y6Q+rwJYyqbNYwNOupwiAd0qOLPE/DfEDwiWGQZVYuIE:xeb/0kF+5Y6PcJYyqeBupRo0qxfSwzc+ |
| MD5: | 826275E10DF62A29C02AF2C5B7AE7131 |
| SHA1: | D8FFDFF19452AC9A2F05D978983F2EF8DD29074F |
| SHA-256: | 88A68C2B1405918B70A4761361DE09EF176CC76D50B27B11744AC26D2B0C8017 |
| SHA-512: | 01FC1758D756CCA9548C5142B775D9C5C2884419AF9C38C26258B1460B7A290E5B614424D943479B4D15D8B3C867F07049376E00A9F5B660AB7873DB5C5B8D90 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 133120 |
| Entropy (8bit): | 6.7175069434092585 |
| Encrypted: | false |
| SSDEEP: | 3072:MdTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQj:lHS3zcNPj0nEo3tb2r |
| MD5: | 4EFEE3976793476FD1824D2B685D95F1 |
| SHA1: | 7431761D6D50607F27998E27BA9B23C63C1A6042 |
| SHA-256: | 060370F9E98BF278DF8AA1960098810B4851AA671949A0F62BB809E7CF0E38FD |
| SHA-512: | D1A6400900AE9ECA846D4C0F8C2FF0DA42EFDA18EDBC2B6DE670A24820E650491D5DC82E678423CDD507BC9934F7E740145DEB893081D97A3216247297DF8519 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 59392 |
| Entropy (8bit): | 6.554132905870603 |
| Encrypted: | false |
| SSDEEP: | 768:xOWrM81EyJqx9EdzGGXZVfmlqTmN5WAQIGK2ud5lS87uzh7JCQ/sE7mOB6XSHuvX:YAD1EsdzVXnP94SGGLpRB6M28eFvMK |
| MD5: | 7C3F3E06CA625E560BD276043D7FA606 |
| SHA1: | 0E9FECFA1E84877DA5D75262AA7E17FB6667550F |
| SHA-256: | 428C27FA151E29E288EC1D74685DAD80B795FF369D50EEF5C5BD59A193C9626A |
| SHA-512: | C8291ECDAA87B65910CC0643F00AEDC9254020B22BB7BACB285CBEABAFB9DFA4EBFD50A0D38A64460055D9A215A587F15756144107A9DB92FDBFDC2A9CAA8BA7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\AquaPac.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 489160 |
| Entropy (8bit): | 7.99818960752648 |
| Encrypted: | true |
| SSDEEP: | 12288:CZE29u5h402Bc7Q5IfCw+bFRH5wTIDy+YcJ6ARXmN1:CZE29Eh40Wc7QDqTv+YCR23 |
| MD5: | D91CE740E5F8F3BE6881A2CE77F51BDE |
| SHA1: | 44BF136DF7B994CD2F749A64BF8F5690C6426D82 |
| SHA-256: | 6535ABB80D136E32B3A9C8AE4129E02E90B404F03786DF9A1C2E8CD21EE6AB6E |
| SHA-512: | 17BD7A4794BBF266907D052C37D41DCC7ABBC3EA904AC0AF3A297CD0E1412439DBC755289656042C33EA3708426CE300D60BDBB90629442E08A00E514C6395C9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 76800 |
| Entropy (8bit): | 5.035870146754863 |
| Encrypted: | false |
| SSDEEP: | 384:+hJ06HrpRD9HPmPuki09PrOa3HwwuBcozc/mwftIQXoSpu88888888888888888v:GD9vmPukxhSaAwuXc/mex/Sc |
| MD5: | F4CD165863A2FDA57348C277BF9028B8 |
| SHA1: | 4D3A96C88CA1E3AFA82C76268734D0C1A7A11150 |
| SHA-256: | 44793AA76472BD4ACB48CBDB9AC029D39156F37E491918E693B071D802EB3D47 |
| SHA-512: | F65CFD56926C91F8C30CC02DA83C77257E6E0C6DD06D2BB2E6C0277FC301570BD0C55F7769F92831A66ECF5F0A014E472A9D1FAF8FF574F0DBF22C726E82B265 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56320 |
| Entropy (8bit): | 6.52141421811215 |
| Encrypted: | false |
| SSDEEP: | 1536:j+r5bLmbZzW9FfTubb1/Dde6YF640L6wy4Za9IN3YRYfv2j62Sv:O5bLezW9FfTut/Dde6u640ewy4Za9coS |
| MD5: | C2A386429946C87F7B05A774C7E846D1 |
| SHA1: | 34194FE9FC68933D1DBFFDB665A7099323772319 |
| SHA-256: | 96EBEEF10F7B1719C4CF0F65AE2DD590DEDCF947004C10489675817057614FA3 |
| SHA-512: | 64C2A6318BF2D6075A49E219408F12942A86BA2101A83439719982B1193F52D01307C99D238120E3ECFE0819339DEF7706FE1575F50280CE91DC4E17E0EACC64 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 118784 |
| Entropy (8bit): | 6.686922533395435 |
| Encrypted: | false |
| SSDEEP: | 3072:FDOSpQSAU4CE0Imbi80PtCZEMnVIPPBxT/sZZ:FiS+SAhClbfSCOMVIPPL/sZZ |
| MD5: | 95FC6A6E2095558409B8E89E7E09BA7D |
| SHA1: | 8F12D738DD917E28F4276EABF73300604761EE1E |
| SHA-256: | FD0191099AA495C1804461BBB29C7DEB293D6B410769428427A562DF7E613A47 |
| SHA-512: | E39F720F7A10A917FE1171C30F1C46948A24DFE77439D0D2ED956B47EC49D5F5D820F42A0805FF2F51C55521CA30605E9BD5153267E94B7080DE8EE6457EDA85 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\AquaPac.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 87040 |
| Entropy (8bit): | 7.9980718428166435 |
| Encrypted: | true |
| SSDEEP: | 1536:5OmC9v5OhUhC9kf7Vez+RJ9eHcaZCpLMyvBgK7l/xUqHNp6Re1InODr+oA:BC9viUhcibzYcaotMMpxpUXe16O/c |
| MD5: | D41A9302A777C16FD62CF6783FE56E47 |
| SHA1: | F5DA8DFE49924C38DF9686BE6FF2C05E75391270 |
| SHA-256: | D70C48EF46C6C40C5C7CCE3937E5F1A70C8FC64FD9AA41E08DA3332FB61BE6EE |
| SHA-512: | C191D874C38FB7379658572FE8DAE646D79DB73849E56F03835212B438F2A0E72EE761DAAFA7C37438EFB015378DED60DCD06718BC804ADCCD2223F175A44178 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60416 |
| Entropy (8bit): | 6.618762292343925 |
| Encrypted: | false |
| SSDEEP: | 1536:fKu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcW:fccBiqXvpgF4qv+32eOyKW |
| MD5: | E2A01ED2358455D40C9E7AC34E1E87DF |
| SHA1: | 242A2C8739F9DB3BAD861542F7C7D82979F098EF |
| SHA-256: | 6C455DA51250AD8EE230938F07C304B64DB9F295729BC6DA9491A2511EFA06FB |
| SHA-512: | 4E4C9654F48B9C8783088EDC8FC4611118BE84361829AB017E96A0F2EB14EBDD35759E82D205A18DBB50ED756397798388406F49E968AC34BE6532156724309A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82944 |
| Entropy (8bit): | 6.232379253021603 |
| Encrypted: | false |
| SSDEEP: | 1536:gpYhWoXElJUzdlDfFgQa8BpDzdZPp7HE+tKA3QkvyNf7Xw2U0pkzUWBh2zGc/xvA:kGWoUlJUPdgQa8Bp/LxyA3laW2UDQWfB |
| MD5: | 2D4CE320A2476DD950299A6BE89ED7CE |
| SHA1: | BD070BDC24A7B6B037B03148A1BE7584EC80670C |
| SHA-256: | 52BC43DD3B9C0AA196CF3E19C5F7F1612B94879F526C156B9E8050462A4F150D |
| SHA-512: | 37506F56782D67FEDBE71174BAF92D1F5933FE9D55E9EB6DFF324139443C116C15D097E239031A40E5343E14BD720FFAE042C9712193FDC6C38012E37F2772C7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\AquaPac.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 74116 |
| Entropy (8bit): | 7.997740290093227 |
| Encrypted: | true |
| SSDEEP: | 1536:swscWEVt6Qz+rIsg1TJqjuQNQWnllxprb/eavjQUU3XH8XTZ5na+:swnWmsReWnpNyac9cX15na+ |
| MD5: | AAE8C0558D9C8FB22798ACD2B09D752F |
| SHA1: | 3EA9259C227A87AEB12AEC508CFD50CE46A692AE |
| SHA-256: | FB0C6EA82A1D315C0EC66825E020B481D4035867277D9C79C1565FDA23186231 |
| SHA-512: | 5541B83B6AB33B89104F3CFF19AE31A5A850A18E85754419C4903E9D240642F90C133980E09E1C385FBE6F3684CD4C88955813A5FD767AC4FCB208801A7581F8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 68608 |
| Entropy (8bit): | 5.909042011314109 |
| Encrypted: | false |
| SSDEEP: | 1536:HuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNI9:Oq8QLeAg0Fuz08XvBNo |
| MD5: | BCA97A41E01B9A2733DC9730A6AEDA76 |
| SHA1: | 74E158FF5A8322A98628C7B6AB306EC99574A162 |
| SHA-256: | 7CF2B204EED76BC835E744755B3697450F23DB6DBBCAD40FE67DDA248E6D870B |
| SHA-512: | 06D7EA32B6A9DFC17150DAD874DEC05F66B843193DB3F77C286396AFBFA2313F9914E15EE229AEE6C6D2297F3D152E753FF0AC73048EE028892F641E0864AB55 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.9814073674184645 |
| TrID: |
|
| File name: | AquaPac.exe |
| File size: | 1'103'634 bytes |
| MD5: | 609acb4f45e7e7692dfedaee6c2854ad |
| SHA1: | cd297298395ceb03f27c4f38e6e99c0deb6df88c |
| SHA256: | e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3 |
| SHA512: | 67d3dc5399453a3a90c7af014542c60b93b41bbe00fcbcf4b18434e4011c400f7da1868d8865f629c7e2df7b2b9b11a3d52a004e7b139635ae1bd20becb648a4 |
| SSDEEP: | 24576:+DJMEy2UJyOqKbUbnGfiBc8EFuoThlhZCq4ktw7:+Ny9qKbWnGC+FzThlhEqZtw |
| TLSH: | E03523564469D872FD730E3171B91A218C37F6130C30D5AF2738CC9AB66338AD97DA9A |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X|.N.................n.......B...8..... |
 | |
| Icon Hash: | 1371696969697804 |
| Entrypoint: | 0x403883 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | be41bf7b8cc010b614bd36bbca606973 |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | B655F7A26575D646751B675C513B9BD0 |
| Thumbprint SHA-1: | B0DBCAAF432E1E9A9C50626F72F884D69DBC1259 |
| Thumbprint SHA-256: | 9E9D9A1451F9DE492B7CE1B146E9D80CE0FF261D03F6C9A06FAAE84F7333F916 |
| Serial: | 038A4A4C4DAA6AAD4C64BC63BF082C4D |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+18h], ebp |
| mov dword ptr [esp+10h], 00409268h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [00408030h] |
| push 00008001h |
| call dword ptr [004080B4h] |
| push ebp |
| call dword ptr [004082C0h] |
| push 00000008h |
| mov dword ptr [00472EB8h], eax |
| call 00007FE28485F21Bh |
| push ebp |
| push 000002B4h |
| mov dword ptr [00472DD0h], eax |
| lea eax, dword ptr [esp+38h] |
| push eax |
| push ebp |
| push 00409264h |
| call dword ptr [00408184h] |
| push 0040924Ch |
| push 0046ADC0h |
| call 00007FE28485EEFDh |
| call dword ptr [004080B0h] |
| push eax |
| mov edi, 004C30A0h |
| push edi |
| call 00007FE28485EEEBh |
| push ebp |
| call dword ptr [00408134h] |
| cmp word ptr [004C30A0h], 0022h |
| mov dword ptr [00472DD8h], eax |
| mov eax, edi |
| jne 00007FE28485C7EAh |
| push 00000022h |
| pop esi |
| mov eax, 004C30A2h |
| push esi |
| push eax |
| call 00007FE28485EBC1h |
| push eax |
| call dword ptr [00408260h] |
| mov esi, eax |
| mov dword ptr [esp+1Ch], esi |
| jmp 00007FE28485C873h |
| push 00000020h |
| pop ebx |
| cmp ax, bx |
| jne 00007FE28485C7EAh |
| add esi, 02h |
| cmp word ptr [esi], bx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9b34 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf4000 | 0x3eae | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x10acd2 | 0x2a40 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7a000 | 0x964 | .ndata |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2d0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6dae | 0x6e00 | 00499a6f70259150109c809d6aa0e6ed | False | 0.6611150568181818 | data | 6.508529563136936 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x2a62 | 0x2c00 | 07990aaa54c3bc638bb87a87f3fb13e3 | False | 0.3526278409090909 | data | 4.390535020989255 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xb000 | 0x67ebc | 0x200 | 014871d9a00f0e0c8c2a7cd25606c453 | False | 0.203125 | data | 1.4308602597540492 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x73000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xf4000 | 0x3eae | 0x4000 | 3b850c7815f2493fe527f869dc70b70b | False | 0.82147216796875 | data | 7.168911172625533 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xf8000 | 0xf32 | 0x1000 | 092dc095800df04ee701a2107f8a1140 | False | 0.599365234375 | data | 5.511648152519848 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xf41c0 | 0x2650 | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.001121533442088 |
| RT_ICON | 0xf6810 | 0x1128 | Device independent bitmap graphic, 32 x 64 x 32, image size 4352 | English | United States | 0.5346083788706739 |
| RT_DIALOG | 0xf7938 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0xf7a38 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0xf7b54 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0xf7bb4 | 0x22 | data | English | United States | 0.9411764705882353 |
| RT_MANIFEST | 0xf7bd8 | 0x2d6 | XML 1.0 document, ASCII text, with very long lines (726), with no line terminators | English | United States | 0.5647382920110193 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
| USER32.dll | GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-29T23:45:16.311409+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49712 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:16.773394+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49712 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:16.773394+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49712 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:17.251278+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49718 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:17.722215+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49718 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:17.722215+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49718 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:18.329669+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49725 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:18.891378+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49725 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:19.509284+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49735 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:20.530019+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49741 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:21.665381+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49751 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:23.199330+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49762 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:25.278782+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49778 | 172.67.205.168 | 443 | TCP |
| 2024-12-29T23:45:25.765451+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49778 | 172.67.205.168 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 29, 2024 23:45:15.869527102 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:15.869561911 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:15.869822979 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:15.871021032 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:15.871046066 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.311310053 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.311408997 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.312895060 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.312910080 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.313755035 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.358249903 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.362314939 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.362314939 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.362400055 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.773411989 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.773504019 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.773585081 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.774966955 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.775000095 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.775024891 CET | 49712 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.775039911 CET | 443 | 49712 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.791802883 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.791850090 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:16.791925907 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.792197943 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:16.792212009 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.251199961 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.251277924 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.252448082 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.252451897 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.252696037 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.253818989 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.253868103 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.253880978 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722235918 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722285986 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722318888 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722337961 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.722351074 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722384930 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722419024 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722434044 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.722440958 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722486019 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.722538948 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.722584009 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.722589970 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.726838112 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.726896048 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.726902008 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.726963997 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.727092981 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.727099895 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.780122042 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.808842897 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.808914900 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.808942080 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.808990002 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.808996916 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.809026003 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.809036970 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.809076071 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.809309006 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.809320927 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.809329033 CET | 49718 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.809334040 CET | 443 | 49718 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.884736061 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.884753942 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:17.884912968 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.885181904 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:17.885193110 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:18.329523087 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:18.329668999 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:18.331075907 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:18.331082106 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:18.331585884 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:18.332631111 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:18.332792044 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:18.332825899 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:18.891468048 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:18.891721964 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:18.893373966 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:18.952307940 CET | 49725 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:18.952332020 CET | 443 | 49725 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:19.050580978 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:19.050614119 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:19.050786972 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:19.054544926 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:19.054557085 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:19.509200096 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:19.509284019 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:19.522908926 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:19.522927999 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:19.523190022 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:19.532831907 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:19.533070087 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:19.533107042 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:19.533160925 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:19.575345039 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.016726017 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.016798973 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.016958952 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.017004013 CET | 49735 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.017014980 CET | 443 | 49735 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.084939957 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.085000992 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.085103035 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.085412025 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.085442066 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.529936075 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.530019045 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.531225920 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.531255007 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.531523943 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.538405895 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.538547039 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.538585901 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:20.538665056 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:20.538681030 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.128426075 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.128555059 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.128623009 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.128745079 CET | 49741 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.128778934 CET | 443 | 49741 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.207422018 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.207448959 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.207544088 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.207781076 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.207793951 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.665287971 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.665380955 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.666465998 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.666470051 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.666671038 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:21.667649031 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.667737007 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:21.667742014 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:22.103843927 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:22.103940964 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:22.103987932 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:22.107537985 CET | 49751 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:22.107552052 CET | 443 | 49751 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:22.728255033 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:22.728277922 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:22.728347063 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:22.728749990 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:22.728761911 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.199137926 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.199330091 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.200392962 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.200396061 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.200721979 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.201848030 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.202598095 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.202635050 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.202769041 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.202811003 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.202939034 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.202976942 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.203115940 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.203145981 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.203284025 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.203320980 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.203490019 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.203526974 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.203535080 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.203540087 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.203685045 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.203711033 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.203732967 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.203866959 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.203897953 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.213311911 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.213479996 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.213510990 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:23.213529110 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.213557959 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.213587046 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:23.213612080 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:24.800321102 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:24.800565958 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:24.800626993 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:24.822221041 CET | 49762 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:24.822226048 CET | 443 | 49762 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:24.825778961 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:24.825824022 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:24.825880051 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:24.826133966 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:24.826143980 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.278697968 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.278781891 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.288048029 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.288059950 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.288281918 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.292565107 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.292597055 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.292740107 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.765537024 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.765667915 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.765729904 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.765749931 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.765866995 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.765918970 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.765923977 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.766019106 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.766067982 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.766072989 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.766168118 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.766216993 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.766222000 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.769968987 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.770025015 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.770030022 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.770114899 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.770164967 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.770169020 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.770306110 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.770368099 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.770410061 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.770421982 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Dec 29, 2024 23:45:25.770431995 CET | 49778 | 443 | 192.168.2.5 | 172.67.205.168 |
| Dec 29, 2024 23:45:25.770437002 CET | 443 | 49778 | 172.67.205.168 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 29, 2024 23:45:02.203872919 CET | 58356 | 53 | 192.168.2.5 | 1.1.1.1 |
| Dec 29, 2024 23:45:02.212400913 CET | 53 | 58356 | 1.1.1.1 | 192.168.2.5 |
| Dec 29, 2024 23:45:15.851309061 CET | 56958 | 53 | 192.168.2.5 | 1.1.1.1 |
| Dec 29, 2024 23:45:15.864758015 CET | 53 | 56958 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 29, 2024 23:45:02.203872919 CET | 192.168.2.5 | 1.1.1.1 | 0xa158 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 29, 2024 23:45:15.851309061 CET | 192.168.2.5 | 1.1.1.1 | 0xcad1 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 29, 2024 23:45:02.212400913 CET | 1.1.1.1 | 192.168.2.5 | 0xa158 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Dec 29, 2024 23:45:15.864758015 CET | 1.1.1.1 | 192.168.2.5 | 0xcad1 | No error (0) | 172.67.205.168 | A (IP address) | IN (0x0001) | false | ||
| Dec 29, 2024 23:45:15.864758015 CET | 1.1.1.1 | 192.168.2.5 | 0xcad1 | No error (0) | 104.21.22.163 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49712 | 172.67.205.168 | 443 | 5508 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-29 22:45:16 UTC | 264 | OUT | |
| 2024-12-29 22:45:16 UTC | 8 | OUT | |
| 2024-12-29 22:45:16 UTC | 1127 | IN | |
| 2024-12-29 22:45:16 UTC | 7 | IN | |
| 2024-12-29 22:45:16 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49718 | 172.67.205.168 | 443 | 5508 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-29 22:45:17 UTC | 265 | OUT | |
| 2024-12-29 22:45:17 UTC | 52 | OUT | |
| 2024-12-29 22:45:17 UTC | 1133 | IN | |
| 2024-12-29 22:45:17 UTC | 236 | IN | |
| 2024-12-29 22:45:17 UTC | 1369 | IN | |
| 2024-12-29 22:45:17 UTC | 1369 | IN | |
| 2024-12-29 22:45:17 UTC | 1369 | IN | |
| 2024-12-29 22:45:17 UTC | 1369 | IN | |
| 2024-12-29 22:45:17 UTC | 1369 | IN | |
| 2024-12-29 22:45:17 UTC | 265 | IN | |
| 2024-12-29 22:45:17 UTC | 1369 | IN | |
| 2024-12-29 22:45:17 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49725 | 172.67.205.168 | 443 | 5508 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-29 22:45:18 UTC | 278 | OUT | |
| 2024-12-29 22:45:18 UTC | 12810 | OUT | |
| 2024-12-29 22:45:18 UTC | 1132 | IN | |
| 2024-12-29 22:45:18 UTC | 20 | IN | |
| 2024-12-29 22:45:18 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49735 | 172.67.205.168 | 443 | 5508 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-29 22:45:19 UTC | 278 | OUT | |
| 2024-12-29 22:45:19 UTC | 15052 | OUT | |
| 2024-12-29 22:45:20 UTC | 1137 | IN | |
| 2024-12-29 22:45:20 UTC | 20 | IN | |
| 2024-12-29 22:45:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49741 | 172.67.205.168 | 443 | 5508 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-29 22:45:20 UTC | 280 | OUT | |
| 2024-12-29 22:45:20 UTC | 15331 | OUT | |
| 2024-12-29 22:45:20 UTC | 5223 | OUT | |
| 2024-12-29 22:45:21 UTC | 1129 | IN | |
| 2024-12-29 22:45:21 UTC | 20 | IN | |
| 2024-12-29 22:45:21 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49751 | 172.67.205.168 | 443 | 5508 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-29 22:45:21 UTC | 276 | OUT | |
| 2024-12-29 22:45:21 UTC | 1229 | OUT | |
| 2024-12-29 22:45:22 UTC | 1134 | IN | |
| 2024-12-29 22:45:22 UTC | 20 | IN | |
| 2024-12-29 22:45:22 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49762 | 172.67.205.168 | 443 | 5508 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-29 22:45:23 UTC | 280 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:23 UTC | 15331 | OUT | |
| 2024-12-29 22:45:24 UTC | 1133 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49778 | 172.67.205.168 | 443 | 5508 | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-29 22:45:25 UTC | 265 | OUT | |
| 2024-12-29 22:45:25 UTC | 87 | OUT | |
| 2024-12-29 22:45:25 UTC | 1127 | IN | |
| 2024-12-29 22:45:25 UTC | 242 | IN | |
| 2024-12-29 22:45:25 UTC | 1219 | IN | |
| 2024-12-29 22:45:25 UTC | 1369 | IN | |
| 2024-12-29 22:45:25 UTC | 1369 | IN | |
| 2024-12-29 22:45:25 UTC | 1369 | IN | |
| 2024-12-29 22:45:25 UTC | 1369 | IN | |
| 2024-12-29 22:45:25 UTC | 1369 | IN | |
| 2024-12-29 22:45:25 UTC | 1369 | IN | |
| 2024-12-29 22:45:25 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:44:54 |
| Start date: | 29/12/2024 |
| Path: | C:\Users\user\Desktop\AquaPac.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'103'634 bytes |
| MD5 hash: | 609ACB4F45E7E7692DFEDAEE6C2854AD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 17:44:55 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 17:44:55 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 17:44:58 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2e0000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 17:44:58 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8d0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 17:44:58 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2e0000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 17:44:58 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8d0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 17:44:59 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 17:44:59 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\extrac32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x510000 |
| File size: | 29'184 bytes |
| MD5 hash: | 9472AAB6390E4F1431BAA912FCFF9707 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 17:44:59 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8d0000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 17:44:59 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 17:45:00 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 17:45:00 |
| Start date: | 29/12/2024 |
| Path: | C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\573646\Accidents.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x640000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | false |
| Target ID: | 14 |
| Start time: | 17:45:00 |
| Start date: | 29/12/2024 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x530000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 18.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 20.7% |
| Total number of Nodes: | 1525 |
| Total number of Limit Nodes: | 33 |
Graph
Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|