Edit tour
Windows
Analysis Report
6QLvb9i.exe
Overview
General Information
| Sample name: | 6QLvb9i.exe |
| Analysis ID: | 1582310 |
| MD5: | c79ad67c0547a2c2f19268618331e4ad |
| SHA1: | 65a778a9ecf4e08bce37d3036e2797693edbbcaa |
| SHA256: | 7ed9c30302d9c77df46d0f85af2972484ea0a0c55bdea41a263d7a9a7e67a2ed |
| Tags: | exeinfostealerlummamalwareuser-Joker |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
6QLvb9i.exe (PID: 7384 cmdline: "C:\Users\ user\Deskt op\6QLvb9i .exe" MD5: C79AD67C0547A2C2F19268618331E4AD) 
conhost.exe (PID: 7392 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - 6QLvb9i.exe (PID: 7448 cmdline:
"C:\Users\ user\Deskt op\6QLvb9i .exe" MD5: C79AD67C0547A2C2F19268618331E4AD)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["framekgirus.shop", "wholersorie.shop", "noisycuttej.shop", "tirepublicerj.shop", "undesirabkel.click", "cloudewahsj.shop", "rabidcowse.shop", "nearycrepso.shop", "abruptyopsn.shop"], "Build id": "LPnhqo--ijcujmprgili"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:02.511450+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:03.434662+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:04.581835+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:05.691058+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:10.931130+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:12.705981+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:14.111373+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:16.659727+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:02.973013+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:03.873547+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:17.107150+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:02.973013+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:03.873547+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:02.511450+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:03.434662+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:04.581835+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:05.691058+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:10.931130+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:12.705981+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:14.111373+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:16.659727+0100 | 2058551 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:02.026314+0100 | 2058550 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 60805 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:13.155766+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:14.132401+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_0041A5C1 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_008F82A9 | |
| Source: | Code function: | 2_2_004410A0 | |
| Source: | Code function: | 2_2_0040E9AA | |
| Source: | Code function: | 2_2_0040C44A | |
| Source: | Code function: | 2_2_0043FC60 | |
| Source: | Code function: | 2_2_00440C70 | |
| Source: | Code function: | 2_2_0043E41E | |
| Source: | Code function: | 2_2_0043E41E | |
| Source: | Code function: | 2_2_00424428 | |
| Source: | Code function: | 2_2_0043E480 | |
| Source: | Code function: | 2_2_0043E480 | |
| Source: | Code function: | 2_2_0043BE00 | |
| Source: | Code function: | 2_2_0043BE00 | |
| Source: | Code function: | 2_2_00440E20 | |
| Source: | Code function: | 2_2_0040CF4B | |
| Source: | Code function: | 2_2_0040CF4B | |
| Source: | Code function: | 2_2_00422F20 | |
| Source: | Code function: | 2_2_0040DF94 | |
| Source: | Code function: | 2_2_0042A100 | |
| Source: | Code function: | 2_2_0042A100 | |
| Source: | Code function: | 2_2_00415102 | |
| Source: | Code function: | 2_2_0041E92F | |
| Source: | Code function: | 2_2_0041E92F | |
| Source: | Code function: | 2_2_0041E92F | |
| Source: | Code function: | 2_2_0043F9D0 | |
| Source: | Code function: | 2_2_004091F0 | |
| Source: | Code function: | 2_2_00405980 | |
| Source: | Code function: | 2_2_00405980 | |
| Source: | Code function: | 2_2_0042D1BA | |
| Source: | Code function: | 2_2_0043F250 | |
| Source: | Code function: | 2_2_0043F250 | |
| Source: | Code function: | 2_2_0043F250 | |
| Source: | Code function: | 2_2_00420270 | |
| Source: | Code function: | 2_2_00423A00 | |
| Source: | Code function: | 2_2_00423A00 | |
| Source: | Code function: | 2_2_00423A00 | |
| Source: | Code function: | 2_2_0042EA12 | |
| Source: | Code function: | 2_2_00417A10 | |
| Source: | Code function: | 2_2_00441220 | |
| Source: | Code function: | 2_2_0042D22E | |
| Source: | Code function: | 2_2_0042BA30 | |
| Source: | Code function: | 2_2_004162C4 | |
| Source: | Code function: | 2_2_0043C280 | |
| Source: | Code function: | 2_2_0041DAA8 | |
| Source: | Code function: | 2_2_0041CB70 | |
| Source: | Code function: | 2_2_00428B70 | |
| Source: | Code function: | 2_2_00428B70 | |
| Source: | Code function: | 2_2_00428B70 | |
| Source: | Code function: | 2_2_0041AB34 | |
| Source: | Code function: | 2_2_0042C3F0 | |
| Source: | Code function: | 2_2_004273AE | |
| Source: | Code function: | 2_2_0040BC41 | |
| Source: | Code function: | 2_2_0042A458 | |
| Source: | Code function: | 2_2_0042D460 | |
| Source: | Code function: | 2_2_0042D464 | |
| Source: | Code function: | 2_2_0041B470 | |
| Source: | Code function: | 2_2_0041B470 | |
| Source: | Code function: | 2_2_0041B470 | |
| Source: | Code function: | 2_2_00402C00 | |
| Source: | Code function: | 2_2_00418C28 | |
| Source: | Code function: | 2_2_0043F430 | |
| Source: | Code function: | 2_2_0043F430 | |
| Source: | Code function: | 2_2_00429CC0 | |
| Source: | Code function: | 2_2_00429CC0 | |
| Source: | Code function: | 2_2_00429CC0 | |
| Source: | Code function: | 2_2_0043F4C0 | |
| Source: | Code function: | 2_2_0043F4C0 | |
| Source: | Code function: | 2_2_004284D0 | |
| Source: | Code function: | 2_2_0041D4D6 | |
| Source: | Code function: | 2_2_004074E0 | |
| Source: | Code function: | 2_2_004074E0 | |
| Source: | Code function: | 2_2_00418CE7 | |
| Source: | Code function: | 2_2_004284B0 | |
| Source: | Code function: | 2_2_004284B0 | |
| Source: | Code function: | 2_2_004284B0 | |
| Source: | Code function: | 2_2_00416548 | |
| Source: | Code function: | 2_2_0043F550 | |
| Source: | Code function: | 2_2_0043F550 | |
| Source: | Code function: | 2_2_00439500 | |
| Source: | Code function: | 2_2_0041AD93 | |
| Source: | Code function: | 2_2_0042CDAC | |
| Source: | Code function: | 2_2_0042CE4C | |
| Source: | Code function: | 2_2_00415656 | |
| Source: | Code function: | 2_2_00415656 | |
| Source: | Code function: | 2_2_0043E674 | |
| Source: | Code function: | 2_2_0043E674 | |
| Source: | Code function: | 2_2_0043E678 | |
| Source: | Code function: | 2_2_0043E678 | |
| Source: | Code function: | 2_2_0042CE04 | |
| Source: | Code function: | 2_2_0042A623 | |
| Source: | Code function: | 2_2_00428633 | |
| Source: | Code function: | 2_2_0041D6F4 | |
| Source: | Code function: | 2_2_0041D6F4 | |
| Source: | Code function: | 2_2_00435F00 | |
| Source: | Code function: | 2_2_0040AF0D | |
| Source: | Code function: | 2_2_0041AFD7 | |
| Source: | Code function: | 2_2_004227F0 | |
| Source: | Code function: | 2_2_004227F0 | |
| Source: | Code function: | 2_2_00425FA6 | |
| Source: | Code function: | 2_2_00425FA6 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00433890 | |
| Source: | Code function: | 2_2_052E1000 | |
| Source: | Code function: | 2_2_00433890 | |
| Source: | Code function: | 2_2_00433A40 | |
| Source: | Code function: | 0_2_008F0060 | |
| Source: | Code function: | 0_2_008E6127 | |
| Source: | Code function: | 0_2_008FB59E | |
| Source: | Code function: | 0_2_008EA982 | |
| Source: | Code function: | 0_2_008FBD99 | |
| Source: | Code function: | 0_2_008FDFE2 | |
| Source: | Code function: | 2_2_00438810 | |
| Source: | Code function: | 2_2_0041E150 | |
| Source: | Code function: | 2_2_00428130 | |
| Source: | Code function: | 2_2_004191D6 | |
| Source: | Code function: | 2_2_004231E0 | |
| Source: | Code function: | 2_2_0040E9AA | |
| Source: | Code function: | 2_2_00412AE0 | |
| Source: | Code function: | 2_2_004253D0 | |
| Source: | Code function: | 2_2_0042DBBA | |
| Source: | Code function: | 2_2_0040C44A | |
| Source: | Code function: | 2_2_00424428 | |
| Source: | Code function: | 2_2_004214C0 | |
| Source: | Code function: | 2_2_004384D0 | |
| Source: | Code function: | 2_2_0041A5C1 | |
| Source: | Code function: | 2_2_0043FD90 | |
| Source: | Code function: | 2_2_0043BE00 | |
| Source: | Code function: | 2_2_004406C0 | |
| Source: | Code function: | 2_2_0040CF4B | |
| Source: | Code function: | 2_2_00408710 | |
| Source: | Code function: | 2_2_0040DF94 | |
| Source: | Code function: | 2_2_00440000 | |
| Source: | Code function: | 2_2_0040A8D0 | |
| Source: | Code function: | 2_2_0041988F | |
| Source: | Code function: | 2_2_0042F8B6 | |
| Source: | Code function: | 2_2_00403940 | |
| Source: | Code function: | 2_2_0041F950 | |
| Source: | Code function: | 2_2_0041C950 | |
| Source: | Code function: | 2_2_0042A100 | |
| Source: | Code function: | 2_2_00415102 | |
| Source: | Code function: | 2_2_0041E92F | |
| Source: | Code function: | 2_2_004279D0 | |
| Source: | Code function: | 2_2_004391D0 | |
| Source: | Code function: | 2_2_0043F9D0 | |
| Source: | Code function: | 2_2_004091F0 | |
| Source: | Code function: | 2_2_00405980 | |
| Source: | Code function: | 2_2_00448185 | |
| Source: | Code function: | 2_2_00425A40 | |
| Source: | Code function: | 2_2_0040F250 | |
| Source: | Code function: | 2_2_0043F250 | |
| Source: | Code function: | 2_2_00406270 | |
| Source: | Code function: | 2_2_00420270 | |
| Source: | Code function: | 2_2_004372C9 | |
| Source: | Code function: | 2_2_0040CAD0 | |
| Source: | Code function: | 2_2_004402E0 | |
| Source: | Code function: | 2_2_004042F0 | |
| Source: | Code function: | 2_2_0041DAA8 | |
| Source: | Code function: | 2_2_0043C360 | |
| Source: | Code function: | 2_2_00428B70 | |
| Source: | Code function: | 2_2_0042F301 | |
| Source: | Code function: | 2_2_00418328 | |
| Source: | Code function: | 2_2_0041739F | |
| Source: | Code function: | 2_2_0040DC4E | |
| Source: | Code function: | 2_2_0043EC5E | |
| Source: | Code function: | 2_2_0041B470 | |
| Source: | Code function: | 2_2_00431C70 | |
| Source: | Code function: | 2_2_00418C28 | |
| Source: | Code function: | 2_2_0043F430 | |
| Source: | Code function: | 2_2_00429CC0 | |
| Source: | Code function: | 2_2_0043F4C0 | |
| Source: | Code function: | 2_2_00437CC0 | |
| Source: | Code function: | 2_2_0043D4CF | |
| Source: | Code function: | 2_2_004074E0 | |
| Source: | Code function: | 2_2_00417CF1 | |
| Source: | Code function: | 2_2_004284B0 | |
| Source: | Code function: | 2_2_00416548 | |
| Source: | Code function: | 2_2_0043F550 | |
| Source: | Code function: | 2_2_0041FD70 | |
| Source: | Code function: | 2_2_00423D70 | |
| Source: | Code function: | 2_2_00439500 | |
| Source: | Code function: | 2_2_0041E524 | |
| Source: | Code function: | 2_2_00425DC0 | |
| Source: | Code function: | 2_2_0041F650 | |
| Source: | Code function: | 2_2_00415656 | |
| Source: | Code function: | 2_2_0043666A | |
| Source: | Code function: | 2_2_0042667A | |
| Source: | Code function: | 2_2_00409600 | |
| Source: | Code function: | 2_2_00416E10 | |
| Source: | Code function: | 2_2_00439E27 | |
| Source: | Code function: | 2_2_00428633 | |
| Source: | Code function: | 2_2_0042AEE0 | |
| Source: | Code function: | 2_2_004176E3 | |
| Source: | Code function: | 2_2_00411EED | |
| Source: | Code function: | 2_2_0041D6F4 | |
| Source: | Code function: | 2_2_00402F40 | |
| Source: | Code function: | 2_2_0043C770 | |
| Source: | Code function: | 2_2_00406700 | |
| Source: | Code function: | 2_2_0040AF0D | |
| Source: | Code function: | 2_2_0042DF11 | |
| Source: | Code function: | 2_2_00437F20 | |
| Source: | Code function: | 2_2_00447FC7 | |
| Source: | Code function: | 2_2_0041AFD7 | |
| Source: | Code function: | 2_2_004227F0 | |
| Source: | Code function: | 2_2_0041988F | |
| Source: | Code function: | 2_2_00418328 | |
| Source: | Code function: | 2_2_00425FA6 | |
| Source: | Code function: | 2_2_00430FA9 | |
| Source: | Code function: | 2_2_008F0060 | |
| Source: | Code function: | 2_2_008E6127 | |
| Source: | Code function: | 2_2_008FB59E | |
| Source: | Code function: | 2_2_008EA982 | |
| Source: | Code function: | 2_2_008FBD99 | |
| Source: | Code function: | 2_2_008FDFE2 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00438810 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_008E6776 | |
| Source: | Code function: | 2_2_0043F1F2 | |
| Source: | Code function: | 2_2_008E6776 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-21548 | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_008F82A9 | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_2-35917 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_0043DCD0 | |
| Source: | Code function: | 0_2_008E64BF | |
| Source: | Code function: | 0_2_0091519E | |
| Source: | Code function: | 0_2_008D1BA0 | |
| Source: | Code function: | 2_2_008D1BA0 | |
| Source: | Code function: | 0_2_008F3BE0 | |
| Source: | Code function: | 0_2_008E60FF | |
| Source: | Code function: | 0_2_008E64BF | |
| Source: | Code function: | 0_2_008E64B3 | |
| Source: | Code function: | 0_2_008EE600 | |
| Source: | Code function: | 2_2_008E60FF | |
| Source: | Code function: | 2_2_008E64BF | |
| Source: | Code function: | 2_2_008E64B3 | |
| Source: | Code function: | 2_2_008EE600 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_0091519E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_008F34BD | |
| Source: | Code function: | 0_2_008F7547 | |
| Source: | Code function: | 0_2_008F7798 | |
| Source: | Code function: | 0_2_008F7840 | |
| Source: | Code function: | 0_2_008F7A93 | |
| Source: | Code function: | 0_2_008F7BD5 | |
| Source: | Code function: | 0_2_008F7B00 | |
| Source: | Code function: | 0_2_008F7CC7 | |
| Source: | Code function: | 0_2_008F7C20 | |
| Source: | Code function: | 0_2_008F7DCD | |
| Source: | Code function: | 0_2_008F2FB5 | |
| Source: | Code function: | 2_2_008F34BD | |
| Source: | Code function: | 2_2_008F7547 | |
| Source: | Code function: | 2_2_008F7798 | |
| Source: | Code function: | 2_2_008F7840 | |
| Source: | Code function: | 2_2_008F7A93 | |
| Source: | Code function: | 2_2_008F7BD5 | |
| Source: | Code function: | 2_2_008F7B00 | |
| Source: | Code function: | 2_2_008F7CC7 | |
| Source: | Code function: | 2_2_008F7C20 | |
| Source: | Code function: | 2_2_008F7DCD | |
| Source: | Code function: | 2_2_008F2FB5 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_008E6AB4 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 241 Security Software Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | 3 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 11 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 33 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 47% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| undesirabkel.click | 188.114.97.3 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.97.3 | undesirabkel.click | European Union | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1582310 |
| Start date and time: | 2024-12-30 10:34:05 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 5s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 6QLvb9i.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 04:35:01 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.97.3 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Ducktail | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| undesirabkel.click | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.728021476739721 |
| TrID: |
|
| File name: | 6QLvb9i.exe |
| File size: | 916'992 bytes |
| MD5: | c79ad67c0547a2c2f19268618331e4ad |
| SHA1: | 65a778a9ecf4e08bce37d3036e2797693edbbcaa |
| SHA256: | 7ed9c30302d9c77df46d0f85af2972484ea0a0c55bdea41a263d7a9a7e67a2ed |
| SHA512: | 9e6601eda66a89e5cfbcfaaa33cb1d06bd2b3caea8e71450b34e9f690d7853f5f377aa61602060136b926e7f052036384c972da07f69f1331f179bdfac96294a |
| SSDEEP: | 24576:OGEZcUhkBQHPB+A+AK5UgFPB+A+AK5UgJ:OG0cUhkqkAZbtAZb8 |
| TLSH: | 2C15F0027691C1B3DD7321B315B9D76E492AF10017A2A9DF1B880EAEDFB06D15E31B36 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Mqg.................&...\.......n............@..........................`............@.....................................<.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x416ea0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67714D83 [Sun Dec 29 13:24:19 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 588987af4e159ab133c2fd81ab21d6c3 |
| Instruction |
|---|
| call 00007FDACCB4B2EAh |
| jmp 00007FDACCB4B14Dh |
| mov ecx, dword ptr [00446C40h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007FDACCB4B2E6h |
| test esi, ecx |
| jne 00007FDACCB4B308h |
| call 00007FDACCB4B311h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007FDACCB4B2E9h |
| mov ecx, BB40E64Fh |
| jmp 00007FDACCB4B2F0h |
| test esi, ecx |
| jne 00007FDACCB4B2ECh |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [00446C40h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [00446C80h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [0044186Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00441828h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [00441824h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [004418BCh] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 00448318h |
| call dword ptr [00441894h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x41608 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4a000 | 0xe8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4b000 | 0x2724 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x3d300 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x35e38 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x417b8 | 0x174 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3245a | 0x32600 | c4549430d24610c92b37bed6473270d7 | False | 0.4947755117866005 | data | 6.4148411499579145 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x34000 | 0x103dc | 0x10400 | 8f41f0a4477466e083dd1225271b1fed | False | 0.4734675480769231 | DOS executable (COM) | 5.262841422439912 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x45000 | 0x3ae0 | 0x2c00 | 41abedb3cd61d6efee59d0f1e4be6075 | False | 0.27885298295454547 | data | 5.101110177853289 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x49000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x4a000 | 0xe8 | 0x200 | 9ba0e63b56b364ddba7264c6ed8b3c7f | False | 0.306640625 | data | 2.341009454357875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x4b000 | 0x2724 | 0x2800 | 8bb45e0eca6ae0cfb6acb30c1d288b24 | False | 0.74765625 | data | 6.507988645199514 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .BSS | 0x4e000 | 0x4ba00 | 0x4ba00 | eccb66f863b798d95739a792f0124a43 | False | 1.0003260588842975 | data | 7.999327326241269 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .BSS | 0x9a000 | 0x4ba00 | 0x4ba00 | eccb66f863b798d95739a792f0124a43 | False | 1.0003260588842975 | data | 7.999327326241269 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x4a060 | 0x87 | XML 1.0 document, ASCII text | English | United States | 0.8222222222222222 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | EndPage, GetMetaFileBitsEx |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T10:35:02.026314+0100 | 2058550 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click) | 1 | 192.168.2.4 | 60805 | 1.1.1.1 | 53 | UDP |
| 2024-12-30T10:35:02.511450+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:02.511450+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:02.973013+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:02.973013+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:03.434662+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:03.434662+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:03.873547+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:03.873547+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:04.581835+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:04.581835+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:05.691058+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:05.691058+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:10.931130+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:10.931130+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:12.705981+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:12.705981+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:13.155766+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:14.111373+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:14.111373+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:14.132401+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:16.659727+0100 | 2058551 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) | 1 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:16.659727+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| 2024-12-30T10:35:17.107150+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 30, 2024 10:35:02.070823908 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.070887089 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:02.071084023 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.074724913 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.074755907 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:02.511343956 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:02.511450052 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.516118050 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.516132116 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:02.516340017 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:02.558132887 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.565505981 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.565530062 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.565581083 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:02.973018885 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:02.973095894 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:02.973162889 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.980798006 CET | 49730 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:02.980828047 CET | 443 | 49730 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.000468969 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.000489950 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.000569105 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.000950098 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.000961065 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.434565067 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.434662104 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.462681055 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.462697983 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.462889910 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.464844942 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.464975119 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.464996099 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.873553038 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.873605967 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.873636007 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.873651981 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.873676062 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.873709917 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.873718977 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.873723984 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.873780966 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.874164104 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.874768972 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.874802113 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.874810934 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.874814987 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.874859095 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.874864101 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.878307104 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.878350019 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.878355026 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.933234930 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.955491066 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.955535889 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.955591917 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.955599070 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.955612898 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.955663919 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.956531048 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.956543922 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:03.956559896 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:03.956564903 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:04.143079996 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:04.143124104 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:04.143210888 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:04.143557072 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:04.143567085 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:04.581765890 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:04.581835032 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:04.583051920 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:04.583064079 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:04.583280087 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:04.584543943 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:04.584698915 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:04.584724903 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:04.584789038 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:04.584796906 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.168693066 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.168787956 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.168843985 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.168931007 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.168946981 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.247467041 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.247514963 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.247606039 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.247884035 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.247903109 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.690936089 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.691057920 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.692722082 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.692738056 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.692943096 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:05.694425106 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.694566965 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:05.694600105 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.274089098 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.274174929 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.274235010 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.274399996 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.274421930 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.488492012 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.488512039 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.488579988 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.489089966 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.489099979 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.930999041 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.931129932 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.932336092 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.932343960 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.932543039 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.933538914 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.933635950 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.933660984 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:10.933721066 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:10.933727026 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:11.918987036 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:11.919064999 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:11.919138908 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:11.919365883 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:11.919377089 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:12.259767056 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:12.259805918 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:12.259891987 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:12.260328054 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:12.260345936 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:12.705878019 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:12.705981016 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:12.707629919 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:12.707642078 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:12.707848072 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:12.709537983 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:12.709654093 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:12.709661007 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:13.155767918 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:13.155844927 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:13.155915976 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:13.156246901 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:13.156266928 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:13.676661015 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:13.676700115 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:13.676790953 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:13.677089930 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:13.677108049 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.111262083 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.111372948 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.117950916 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.117974997 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.118164062 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.131128073 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.131993055 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.132028103 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.132133961 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.132177114 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.132308960 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.132344007 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.132477999 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.132513046 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.132678986 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.132716894 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.132878065 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.132906914 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.132927895 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.132941961 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.132952929 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.132957935 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.133059025 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.133083105 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.133109093 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.133122921 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.133238077 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.133274078 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.142255068 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.142421961 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.142461061 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.142493963 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.142515898 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:14.142535925 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:14.142549038 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.172207117 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.172298908 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.172373056 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.173228979 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.173249006 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.227848053 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.227880955 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.227941036 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.228193998 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.228207111 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.659631968 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.659727097 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.661106110 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.661117077 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.661317110 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:16.662626982 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.662648916 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:16.662678957 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107184887 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107225895 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107255936 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107275009 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.107285976 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107294083 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107331038 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.107348919 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107372046 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107388973 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.107397079 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.107434034 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.107440948 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.111973047 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.112001896 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.112020969 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.112025976 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.112071991 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.112076998 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.112091064 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.112127066 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.112289906 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.112301111 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Dec 30, 2024 10:35:17.112309933 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Dec 30, 2024 10:35:17.112313986 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 30, 2024 10:35:02.026314020 CET | 60805 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 30, 2024 10:35:02.040095091 CET | 53 | 60805 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 30, 2024 10:35:02.026314020 CET | 192.168.2.4 | 1.1.1.1 | 0x3580 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 30, 2024 10:35:02.040095091 CET | 1.1.1.1 | 192.168.2.4 | 0x3580 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 10:35:02.040095091 CET | 1.1.1.1 | 192.168.2.4 | 0x3580 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 188.114.97.3 | 443 | 7448 | C:\Users\user\Desktop\6QLvb9i.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 09:35:02 UTC | 265 | OUT | |
| 2024-12-30 09:35:02 UTC | 8 | OUT | |
| 2024-12-30 09:35:02 UTC | 1129 | IN | |
| 2024-12-30 09:35:02 UTC | 7 | IN | |
| 2024-12-30 09:35:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | 7448 | C:\Users\user\Desktop\6QLvb9i.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 09:35:03 UTC | 266 | OUT | |
| 2024-12-30 09:35:03 UTC | 54 | OUT | |
| 2024-12-30 09:35:03 UTC | 1137 | IN | |
| 2024-12-30 09:35:03 UTC | 232 | IN | |
| 2024-12-30 09:35:03 UTC | 1369 | IN | |
| 2024-12-30 09:35:03 UTC | 1369 | IN | |
| 2024-12-30 09:35:03 UTC | 1369 | IN | |
| 2024-12-30 09:35:03 UTC | 1369 | IN | |
| 2024-12-30 09:35:03 UTC | 1369 | IN | |
| 2024-12-30 09:35:03 UTC | 1369 | IN | |
| 2024-12-30 09:35:03 UTC | 1369 | IN | |
| 2024-12-30 09:35:03 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | 7448 | C:\Users\user\Desktop\6QLvb9i.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 09:35:04 UTC | 284 | OUT | |
| 2024-12-30 09:35:04 UTC | 15331 | OUT | |
| 2024-12-30 09:35:04 UTC | 2839 | OUT | |
| 2024-12-30 09:35:05 UTC | 1137 | IN | |
| 2024-12-30 09:35:05 UTC | 20 | IN | |
| 2024-12-30 09:35:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | 7448 | C:\Users\user\Desktop\6QLvb9i.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 09:35:05 UTC | 278 | OUT | |
| 2024-12-30 09:35:05 UTC | 8761 | OUT | |
| 2024-12-30 09:35:10 UTC | 1140 | IN | |
| 2024-12-30 09:35:10 UTC | 20 | IN | |
| 2024-12-30 09:35:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | 7448 | C:\Users\user\Desktop\6QLvb9i.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 09:35:10 UTC | 279 | OUT | |
| 2024-12-30 09:35:10 UTC | 15331 | OUT | |
| 2024-12-30 09:35:10 UTC | 5083 | OUT | |
| 2024-12-30 09:35:11 UTC | 1129 | IN | |
| 2024-12-30 09:35:11 UTC | 20 | IN | |
| 2024-12-30 09:35:11 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | 7448 | C:\Users\user\Desktop\6QLvb9i.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 09:35:12 UTC | 282 | OUT | |
| 2024-12-30 09:35:12 UTC | 1270 | OUT | |
| 2024-12-30 09:35:13 UTC | 1132 | IN | |
| 2024-12-30 09:35:13 UTC | 20 | IN | |
| 2024-12-30 09:35:13 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | 7448 | C:\Users\user\Desktop\6QLvb9i.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 09:35:14 UTC | 278 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:14 UTC | 15331 | OUT | |
| 2024-12-30 09:35:16 UTC | 1137 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | 7448 | C:\Users\user\Desktop\6QLvb9i.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 09:35:16 UTC | 266 | OUT | |
| 2024-12-30 09:35:16 UTC | 89 | OUT | |
| 2024-12-30 09:35:17 UTC | 1125 | IN | |
| 2024-12-30 09:35:17 UTC | 244 | IN | |
| 2024-12-30 09:35:17 UTC | 1369 | IN | |
| 2024-12-30 09:35:17 UTC | 1369 | IN | |
| 2024-12-30 09:35:17 UTC | 1369 | IN | |
| 2024-12-30 09:35:17 UTC | 1369 | IN | |
| 2024-12-30 09:35:17 UTC | 1369 | IN | |
| 2024-12-30 09:35:17 UTC | 1369 | IN | |
| 2024-12-30 09:35:17 UTC | 1369 | IN | |
| 2024-12-30 09:35:17 UTC | 1312 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 04:34:59 |
| Start date: | 30/12/2024 |
| Path: | C:\Users\user\Desktop\6QLvb9i.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8d0000 |
| File size: | 916'992 bytes |
| MD5 hash: | C79AD67C0547A2C2F19268618331E4AD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 04:35:00 |
| Start date: | 30/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 04:35:00 |
| Start date: | 30/12/2024 |
| Path: | C:\Users\user\Desktop\6QLvb9i.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8d0000 |
| File size: | 916'992 bytes |
| MD5 hash: | C79AD67C0547A2C2F19268618331E4AD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 7.8% |
| Dynamic/Decrypted Code Coverage: | 2.9% |
| Signature Coverage: | 4% |
| Total number of Nodes: | 276 |
| Total number of Limit Nodes: | 12 |
Graph
Function 0091519E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D1C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108libraryfileloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F3202 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D1DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F3D52 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D2010 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F2277 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D14C0 Relevance: 1.8, APIs: 1, Instructions: 308COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E4C70 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E3390 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D2210 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F35B4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F22B1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008DF670 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F7CC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F0060 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F82A9 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E64BF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F7840 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E6127 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F7B00 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008EA982 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F7C20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F7DCD Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E64B3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F3BE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008FBD99 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D1BA0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00902512 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F5176 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E6A80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0090097C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F190E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008EBD98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F39EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E5D01 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008FD190 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F8086 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E95B2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F947E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E6EF5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F6C36 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F1D32 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F159E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 4.6% |
| Dynamic/Decrypted Code Coverage: | 6.1% |
| Signature Coverage: | 45.2% |
| Total number of Nodes: | 263 |
| Total number of Limit Nodes: | 20 |
Graph
Function 00412AE0 Relevance: 199.9, APIs: 4, Strings: 109, Instructions: 2152COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438810 Relevance: 34.1, APIs: 11, Strings: 8, Instructions: 801memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 052E1000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424428 Relevance: 18.4, Strings: 14, Instructions: 929COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408710 Relevance: 7.7, APIs: 5, Instructions: 198threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E9AA Relevance: 5.3, Strings: 4, Instructions: 327COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C44A Relevance: 3.9, Strings: 3, Instructions: 116COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DCD0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DF94 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440E20 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440C70 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FC60 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E480 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BE00 Relevance: .3, Instructions: 283COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004410A0 Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00422F20 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E41E Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D69A Relevance: 3.1, APIs: 2, Instructions: 75COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D698 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CA45 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D646 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DE6F Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436F18 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DC52 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004322BF Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00431BF2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DED3 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C9F0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BDD0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BDB0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A100 Relevance: 9.2, Strings: 7, Instructions: 433COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F7547 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F0060 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CE04 Relevance: 6.4, Strings: 5, Instructions: 165COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E64BF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428633 Relevance: 5.5, Strings: 4, Instructions: 529COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004227F0 Relevance: 5.5, Strings: 4, Instructions: 519COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004162C4 Relevance: 5.2, Strings: 4, Instructions: 179COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D464 Relevance: 5.1, Strings: 4, Instructions: 147COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D460 Relevance: 5.1, Strings: 4, Instructions: 128COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415656 Relevance: 5.0, Strings: 3, Instructions: 1291COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439500 Relevance: 4.2, Strings: 3, Instructions: 482COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418C28 Relevance: 4.2, Strings: 3, Instructions: 466COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004091F0 Relevance: 4.1, Strings: 3, Instructions: 388COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417A10 Relevance: 4.0, Strings: 3, Instructions: 241COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CE4C Relevance: 3.9, Strings: 3, Instructions: 164COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CDAC Relevance: 3.9, Strings: 3, Instructions: 116COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420270 Relevance: 3.4, Strings: 2, Instructions: 886COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EA12 Relevance: 3.2, APIs: 2, Instructions: 228COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D4D6 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CB70 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AD93 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415102 Relevance: 1.8, Strings: 1, Instructions: 568COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AF0D Relevance: 1.8, Strings: 1, Instructions: 535COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D6F4 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DAA8 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C3F0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F9D0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AB34 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00418CE7 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E678 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E674 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D22E Relevance: 1.3, Strings: 1, Instructions: 56COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E92F Relevance: 1.0, Instructions: 951COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F250 Relevance: .7, Instructions: 698COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004074E0 Relevance: .6, Instructions: 611COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F430 Relevance: .6, Instructions: 556COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F550 Relevance: .6, Instructions: 555COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F4C0 Relevance: .5, Instructions: 521COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405980 Relevance: .4, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423A00 Relevance: .3, Instructions: 309COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004273AE Relevance: .2, Instructions: 191COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D1BA Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441220 Relevance: .1, Instructions: 144COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004284D0 Relevance: .1, Instructions: 96COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C280 Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A458 Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435F00 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BA30 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402C00 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BC41 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042A623 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D1C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00902512 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F5176 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F3202 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E6A80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0090097C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F190E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008EBD98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F39EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E5D01 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008FD190 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F8086 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E95B2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F947E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008E6EF5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F1D32 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008F159E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008D1DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|