Edit tour
Windows
Analysis Report
AquaDiscord-2.0.exe
Overview
General Information
| Sample name: | AquaDiscord-2.0.exe |
| Analysis ID: | 1582529 |
| MD5: | a15ebbc7798933dc1d436b59600f3aca |
| SHA1: | c666f3ea96290df82eba8452262fa9c84ad8b518 |
| SHA256: | 875390ef2cf52c86926147fed0ef8db6ddc8ad8422ecf5760462f2e03fc61bd3 |
| Tags: | exeLummaStealeruser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
AquaDiscord-2.0.exe (PID: 7324 cmdline: "C:\Users\ user\Deskt op\AquaDis cord-2.0.e xe" MD5: A15EBBC7798933DC1D436B59600F3ACA) 
conhost.exe (PID: 7332 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AquaDiscord-2.0.exe (PID: 7400 cmdline:
"C:\Users\ user\Deskt op\AquaDis cord-2.0.e xe" MD5: A15EBBC7798933DC1D436B59600F3ACA)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["fancywaxxers.shop", "nearycrepso.shop", "cloudewahsj.shop", "rabidcowse.shop", "framekgirus.shop", "tirepublicerj.shop", "wholersorie.shop", "abruptyopsn.shop", "noisycuttej.shop"], "Build id": "yau6Na--899083440"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:40:00.758376+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:01.729539+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:03.423030+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:04.622792+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:05.886609+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:07.393149+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:08.760534+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:12.789707+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 104.21.16.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:40:01.241350+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:02.279785+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:13.250576+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 104.21.16.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:40:01.241350+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.16.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:40:02.279785+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.16.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:40:05.223121+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49733 | 104.21.16.1 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_00414A9A | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00B0B6A8 | |
| Source: | Code function: | 0_2_00B0B759 | |
| Source: | Code function: | 2_2_0042207D | |
| Source: | Code function: | 2_2_0042207D | |
| Source: | Code function: | 2_2_00420830 | |
| Source: | Code function: | 2_2_0042DA21 | |
| Source: | Code function: | 2_2_0043F23F | |
| Source: | Code function: | 2_2_0042D2FF | |
| Source: | Code function: | 2_2_00414A9A | |
| Source: | Code function: | 2_2_00414A9A | |
| Source: | Code function: | 2_2_00414A9A | |
| Source: | Code function: | 2_2_00439B30 | |
| Source: | Code function: | 2_2_00439B30 | |
| Source: | Code function: | 2_2_00439B30 | |
| Source: | Code function: | 2_2_00426B80 | |
| Source: | Code function: | 2_2_0040CEC7 | |
| Source: | Code function: | 2_2_00440ED0 | |
| Source: | Code function: | 2_2_00441F50 | |
| Source: | Code function: | 2_2_0040D75B | |
| Source: | Code function: | 2_2_0040D75B | |
| Source: | Code function: | 2_2_0040D75B | |
| Source: | Code function: | 2_2_0040D75B | |
| Source: | Code function: | 2_2_0040D75B | |
| Source: | Code function: | 2_2_0043CFDB | |
| Source: | Code function: | 2_2_00427050 | |
| Source: | Code function: | 2_2_00427050 | |
| Source: | Code function: | 2_2_00427050 | |
| Source: | Code function: | 2_2_00427879 | |
| Source: | Code function: | 2_2_00427030 | |
| Source: | Code function: | 2_2_0041B8D4 | |
| Source: | Code function: | 2_2_00405910 | |
| Source: | Code function: | 2_2_00405910 | |
| Source: | Code function: | 2_2_00416914 | |
| Source: | Code function: | 2_2_00416914 | |
| Source: | Code function: | 2_2_00416914 | |
| Source: | Code function: | 2_2_00420130 | |
| Source: | Code function: | 2_2_0042B1E0 | |
| Source: | Code function: | 2_2_00421980 | |
| Source: | Code function: | 2_2_0043D9A0 | |
| Source: | Code function: | 2_2_0042AA70 | |
| Source: | Code function: | 2_2_004162D2 | |
| Source: | Code function: | 2_2_004162D2 | |
| Source: | Code function: | 2_2_0043EAF2 | |
| Source: | Code function: | 2_2_0041AA81 | |
| Source: | Code function: | 2_2_0041AA81 | |
| Source: | Code function: | 2_2_00436320 | |
| Source: | Code function: | 2_2_0042BBCB | |
| Source: | Code function: | 2_2_0042CC46 | |
| Source: | Code function: | 2_2_00407470 | |
| Source: | Code function: | 2_2_0042BC0F | |
| Source: | Code function: | 2_2_0042BB79 | |
| Source: | Code function: | 2_2_0041CD40 | |
| Source: | Code function: | 2_2_00428D4A | |
| Source: | Code function: | 2_2_00413D50 | |
| Source: | Code function: | 2_2_00413D50 | |
| Source: | Code function: | 2_2_0043D560 | |
| Source: | Code function: | 2_2_0042AD70 | |
| Source: | Code function: | 2_2_00423D10 | |
| Source: | Code function: | 2_2_00423D10 | |
| Source: | Code function: | 2_2_00402530 | |
| Source: | Code function: | 2_2_00429DF0 | |
| Source: | Code function: | 2_2_00423D10 | |
| Source: | Code function: | 2_2_00423D10 | |
| Source: | Code function: | 2_2_0040BDB9 | |
| Source: | Code function: | 2_2_00423E62 | |
| Source: | Code function: | 2_2_0042CE63 | |
| Source: | Code function: | 2_2_0043A660 | |
| Source: | Code function: | 2_2_0043A660 | |
| Source: | Code function: | 2_2_00416E62 | |
| Source: | Code function: | 2_2_00421600 | |
| Source: | Code function: | 2_2_0042C63D | |
| Source: | Code function: | 2_2_0043F6E3 | |
| Source: | Code function: | 2_2_004096B0 | |
| Source: | Code function: | 2_2_004096B0 | |
| Source: | Code function: | 2_2_00402F10 | |
| Source: | Code function: | 2_2_00408FE0 | |
| Source: | Code function: | 2_2_00417FBC | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00434280 | |
| Source: | Code function: | 2_2_05141000 | |
| Source: | Code function: | 2_2_00434280 | |
| Source: | Code function: | 2_2_00434460 | |
| Source: | Code function: | 0_2_00B0EA4E | |
| Source: | Code function: | 0_2_00B104C2 | |
| Source: | Code function: | 0_2_00B03400 | |
| Source: | Code function: | 0_2_00AFDDA2 | |
| Source: | Code function: | 0_2_00AF969B | |
| Source: | Code function: | 2_2_0043D050 | |
| Source: | Code function: | 2_2_0042207D | |
| Source: | Code function: | 2_2_00439800 | |
| Source: | Code function: | 2_2_00441900 | |
| Source: | Code function: | 2_2_00411920 | |
| Source: | Code function: | 2_2_0042DA21 | |
| Source: | Code function: | 2_2_00414A9A | |
| Source: | Code function: | 2_2_00439B30 | |
| Source: | Code function: | 2_2_00426B80 | |
| Source: | Code function: | 2_2_00420DD0 | |
| Source: | Code function: | 2_2_0040CEC7 | |
| Source: | Code function: | 2_2_00422F70 | |
| Source: | Code function: | 2_2_0043F73E | |
| Source: | Code function: | 2_2_00440FD0 | |
| Source: | Code function: | 2_2_0040FFD6 | |
| Source: | Code function: | 2_2_004087B0 | |
| Source: | Code function: | 2_2_00427050 | |
| Source: | Code function: | 2_2_00440065 | |
| Source: | Code function: | 2_2_00434060 | |
| Source: | Code function: | 2_2_00427879 | |
| Source: | Code function: | 2_2_00418816 | |
| Source: | Code function: | 2_2_0041D020 | |
| Source: | Code function: | 2_2_00422830 | |
| Source: | Code function: | 2_2_0040C8E5 | |
| Source: | Code function: | 2_2_00440880 | |
| Source: | Code function: | 2_2_0040A8B0 | |
| Source: | Code function: | 2_2_00405910 | |
| Source: | Code function: | 2_2_00416914 | |
| Source: | Code function: | 2_2_00403920 | |
| Source: | Code function: | 2_2_0041D920 | |
| Source: | Code function: | 2_2_00440920 | |
| Source: | Code function: | 2_2_0040B132 | |
| Source: | Code function: | 2_2_00420130 | |
| Source: | Code function: | 2_2_004191C0 | |
| Source: | Code function: | 2_2_004359C5 | |
| Source: | Code function: | 2_2_004371FD | |
| Source: | Code function: | 2_2_00421980 | |
| Source: | Code function: | 2_2_0043D9A0 | |
| Source: | Code function: | 2_2_004381AC | |
| Source: | Code function: | 2_2_004409B0 | |
| Source: | Code function: | 2_2_00438A55 | |
| Source: | Code function: | 2_2_00427A6E | |
| Source: | Code function: | 2_2_0040F27E | |
| Source: | Code function: | 2_2_00406200 | |
| Source: | Code function: | 2_2_00415A05 | |
| Source: | Code function: | 2_2_00418A30 | |
| Source: | Code function: | 2_2_00439230 | |
| Source: | Code function: | 2_2_00415A05 | |
| Source: | Code function: | 2_2_004042D0 | |
| Source: | Code function: | 2_2_004162D2 | |
| Source: | Code function: | 2_2_00423AE0 | |
| Source: | Code function: | 2_2_00429AFE | |
| Source: | Code function: | 2_2_0041AA81 | |
| Source: | Code function: | 2_2_004262A0 | |
| Source: | Code function: | 2_2_00437AA0 | |
| Source: | Code function: | 2_2_004092B0 | |
| Source: | Code function: | 2_2_004412B0 | |
| Source: | Code function: | 2_2_0041EB50 | |
| Source: | Code function: | 2_2_00402B70 | |
| Source: | Code function: | 2_2_0040A312 | |
| Source: | Code function: | 2_2_004183FA | |
| Source: | Code function: | 2_2_0041A3B0 | |
| Source: | Code function: | 2_2_00430C5A | |
| Source: | Code function: | 2_2_00407470 | |
| Source: | Code function: | 2_2_00423C70 | |
| Source: | Code function: | 2_2_0043AC70 | |
| Source: | Code function: | 2_2_00410C79 | |
| Source: | Code function: | 2_2_00404C10 | |
| Source: | Code function: | 2_2_0041D430 | |
| Source: | Code function: | 2_2_004114CB | |
| Source: | Code function: | 2_2_004354B7 | |
| Source: | Code function: | 2_2_0041CD40 | |
| Source: | Code function: | 2_2_0043ED4D | |
| Source: | Code function: | 2_2_00413D50 | |
| Source: | Code function: | 2_2_004415C0 | |
| Source: | Code function: | 2_2_0041BDD0 | |
| Source: | Code function: | 2_2_00429DF0 | |
| Source: | Code function: | 2_2_0043059D | |
| Source: | Code function: | 2_2_0043AE47 | |
| Source: | Code function: | 2_2_00423E62 | |
| Source: | Code function: | 2_2_0043A660 | |
| Source: | Code function: | 2_2_00416E62 | |
| Source: | Code function: | 2_2_00418E1C | |
| Source: | Code function: | 2_2_0042D6D6 | |
| Source: | Code function: | 2_2_00440680 | |
| Source: | Code function: | 2_2_00406690 | |
| Source: | Code function: | 2_2_0041A690 | |
| Source: | Code function: | 2_2_004096B0 | |
| Source: | Code function: | 2_2_00440770 | |
| Source: | Code function: | 2_2_0043E776 | |
| Source: | Code function: | 2_2_00402F10 | |
| Source: | Code function: | 2_2_00439710 | |
| Source: | Code function: | 2_2_004237C0 | |
| Source: | Code function: | 2_2_00438FD0 | |
| Source: | Code function: | 2_2_00440788 | |
| Source: | Code function: | 2_2_0044078A | |
| Source: | Code function: | 2_2_0042BFB4 | |
| Source: | Code function: | 2_2_00417FBC | |
| Source: | Code function: | 2_2_00B0EA4E | |
| Source: | Code function: | 2_2_00B104C2 | |
| Source: | Code function: | 2_2_00B03400 | |
| Source: | Code function: | 2_2_00AFDDA2 | |
| Source: | Code function: | 2_2_00AF969B | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00439B30 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00AF9D7D | |
| Source: | Code function: | 2_2_00449A39 | |
| Source: | Code function: | 2_2_00447BD9 | |
| Source: | Code function: | 2_2_0043D49F | |
| Source: | Code function: | 2_2_00440632 | |
| Source: | Code function: | 2_2_00449702 | |
| Source: | Code function: | 2_2_0044686F | |
| Source: | Code function: | 2_2_00AF9D7D | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00B0B6A8 | |
| Source: | Code function: | 0_2_00B0B759 | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_2-31530 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_0043EEC0 | |
| Source: | Code function: | 0_2_00B01A20 | |
| Source: | Code function: | 0_2_00B2019E | |
| Source: | Code function: | 0_2_00AF1BA0 | |
| Source: | Code function: | 2_2_00AF1BA0 | |
| Source: | Code function: | 0_2_00B06FE0 | |
| Source: | Code function: | 0_2_00AF9A27 | |
| Source: | Code function: | 0_2_00B01A20 | |
| Source: | Code function: | 0_2_00AF9A33 | |
| Source: | Code function: | 0_2_00AF9673 | |
| Source: | Code function: | 2_2_00AF9A27 | |
| Source: | Code function: | 2_2_00B01A20 | |
| Source: | Code function: | 2_2_00AF9A33 | |
| Source: | Code function: | 2_2_00AF9673 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_00B2019E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00B068BD | |
| Source: | Code function: | 0_2_00B0B085 | |
| Source: | Code function: | 0_2_00B0B0D0 | |
| Source: | Code function: | 0_2_00B0A9F7 | |
| Source: | Code function: | 0_2_00B0B177 | |
| Source: | Code function: | 0_2_00B0B27D | |
| Source: | Code function: | 0_2_00B063B5 | |
| Source: | Code function: | 0_2_00B0ACF0 | |
| Source: | Code function: | 0_2_00B0AC48 | |
| Source: | Code function: | 0_2_00B0AFB0 | |
| Source: | Code function: | 0_2_00B0AF43 | |
| Source: | Code function: | 2_2_00B068BD | |
| Source: | Code function: | 2_2_00B0B085 | |
| Source: | Code function: | 2_2_00B0B0D0 | |
| Source: | Code function: | 2_2_00B0A9F7 | |
| Source: | Code function: | 2_2_00B0B177 | |
| Source: | Code function: | 2_2_00B0B27D | |
| Source: | Code function: | 2_2_00B063B5 | |
| Source: | Code function: | 2_2_00B0ACF0 | |
| Source: | Code function: | 2_2_00B0AC48 | |
| Source: | Code function: | 2_2_00B0AFB0 | |
| Source: | Code function: | 2_2_00B0AF43 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00AFA2F5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 241 Security Software Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | 3 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 11 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 33 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 32% | ReversingLabs | Win32.Trojan.Generic | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fancywaxxers.shop | 104.21.16.1 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.16.1 | fancywaxxers.shop | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1582529 |
| Start date and time: | 2024-12-30 20:39:08 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 10s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | AquaDiscord-2.0.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.253.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: AquaDiscord-2.0.exe
| Time | Type | Description |
|---|---|---|
| 14:40:00 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.16.1 | Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fancywaxxers.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | KnowBe4 | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | SmokeLoader | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.827269120715067 |
| TrID: |
|
| File name: | AquaDiscord-2.0.exe |
| File size: | 834'048 bytes |
| MD5: | a15ebbc7798933dc1d436b59600f3aca |
| SHA1: | c666f3ea96290df82eba8452262fa9c84ad8b518 |
| SHA256: | 875390ef2cf52c86926147fed0ef8db6ddc8ad8422ecf5760462f2e03fc61bd3 |
| SHA512: | 22ceec3e5deccbd3d78cf329c94b42e96647a6ddfbfecb96e57693daac106f209edec3836676d72b0a3a272d9f74ef3a33062d2e28e2bec52821142e0e6ef8cc |
| SSDEEP: | 24576:Y4dPpQPmY1dzvMoyZljwur1dzvMoyZljwu+:hdPp/M5vMb3wuB5vMb3wu+ |
| TLSH: | 210512517582C0B3CC631AB759FDA3B6562EF9600B21A9DF47D40FBE6F621C05630B2A |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....rg.................H........................@.......................................@.....................................(.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x40a2a0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6772AADA [Mon Dec 30 14:14:50 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d6bfc0ff235c28cc21f6045af30834e6 |
| Instruction |
|---|
| call 00007F1EFC808A4Ah |
| jmp 00007F1EFC8088ADh |
| mov ecx, dword ptr [004307C0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F1EFC808A46h |
| test esi, ecx |
| jne 00007F1EFC808A68h |
| call 00007F1EFC808A71h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F1EFC808A49h |
| mov ecx, BB40E64Fh |
| jmp 00007F1EFC808A50h |
| test esi, ecx |
| jne 00007F1EFC808A4Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [004307C0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [00430800h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [0042E8C8h] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [0042E884h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042E880h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [0042E910h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 00431AB8h |
| call dword ptr [0042E8E8h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2e6ac | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x34000 | 0xe8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x35000 | 0x1b80 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x2a9a8 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x26e40 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2e820 | 0x14c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2479a | 0x24800 | e99bb4e274380b09613559d3b1a664fb | False | 0.554781142979452 | data | 6.559742159760055 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x26000 | 0x9eb4 | 0xa000 | 3f1d7f6413abea491661acb746eefebf | False | 0.428271484375 | DOS executable (COM) | 4.91372050063646 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x30000 | 0x2280 | 0x1600 | 112d0c9e43893ae5b7f96d23807996ac | False | 0.39506392045454547 | data | 4.581141173428789 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x33000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x34000 | 0xe8 | 0x200 | 03d6bf5d1e31277fc8fb90374111d794 | False | 0.306640625 | data | 2.344915704357875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x35000 | 0x1b80 | 0x1c00 | 6e4c901089600f702531dbe2643a65b6 | False | 0.7770647321428571 | data | 6.526735403310053 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .BSS | 0x37000 | 0x4ca00 | 0x4ca00 | 9ee832d4aed74c7097c0a4b519fd8b77 | False | 1.000337734502447 | data | 7.999350903774988 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .BSS | 0x84000 | 0x4ca00 | 0x4ca00 | 9ee832d4aed74c7097c0a4b519fd8b77 | False | 1.000337734502447 | data | 7.999350903774988 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x34060 | 0x87 | XML 1.0 document, ASCII text | English | United States | 0.8222222222222222 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:40:00.758376+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:01.241350+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:01.241350+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:01.729539+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:02.279785+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:02.279785+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:03.423030+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:04.622792+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:05.223121+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49733 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:05.886609+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:07.393149+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:08.760534+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:12.789707+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49737 | 104.21.16.1 | 443 | TCP |
| 2024-12-30T20:40:13.250576+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49737 | 104.21.16.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 30, 2024 20:40:00.277244091 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:00.277275085 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:00.277339935 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:00.280221939 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:00.280234098 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:00.758264065 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:00.758375883 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:00.761853933 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:00.761862993 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:00.762269020 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:00.810790062 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:00.810820103 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:00.810897112 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.241374016 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.241511106 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.241560936 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.247203112 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.247215033 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.247240067 CET | 49730 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.247245073 CET | 443 | 49730 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.270971060 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.271011114 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.271111965 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.271473885 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.271486998 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.729444981 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.729538918 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.835076094 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.835124016 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.835504055 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:01.845944881 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.845988035 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:01.846024990 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.279783964 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.279849052 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.279889107 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.279925108 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.279944897 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.280006886 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.280041933 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.280056000 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.280106068 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.280138969 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.280145884 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.280193090 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.280211926 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.280236959 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.280301094 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.284593105 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.328923941 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.328952074 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.366449118 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.366492033 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.366529942 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.366549969 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.366561890 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.366622925 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.366622925 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.366674900 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.366883993 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.366899014 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.366909981 CET | 49731 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.366914034 CET | 443 | 49731 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.541440964 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.541486979 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:02.541553020 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.541997910 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:02.542016029 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:03.422909975 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:03.423029900 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:03.424621105 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:03.424627066 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:03.424830914 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:03.426090002 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:03.426254034 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:03.426284075 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:03.426346064 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:03.426353931 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.007359028 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.007438898 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.007512093 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.008814096 CET | 49732 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.008833885 CET | 443 | 49732 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.106069088 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.106096983 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.106173038 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.106507063 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.106517076 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.622714043 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.622792006 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.628745079 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.628760099 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.628953934 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:04.631316900 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.631607056 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:04.631633043 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.223107100 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.223179102 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.223232985 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.236917973 CET | 49733 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.236938953 CET | 443 | 49733 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.432419062 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.432456017 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.432529926 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.432877064 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.432892084 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.886539936 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.886609077 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.888132095 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.888138056 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.888379097 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.889549971 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.889669895 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.889710903 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:05.889780998 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:05.889791012 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:06.517782927 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:06.517874002 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:06.518058062 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:06.518111944 CET | 49734 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:06.518130064 CET | 443 | 49734 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:06.934406042 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:06.934436083 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:06.934510946 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:06.934830904 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:06.934842110 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:07.393038034 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:07.393148899 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:07.394639969 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:07.394650936 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:07.394851923 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:07.396260977 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:07.396365881 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:07.396372080 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:07.807653904 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:07.807728052 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:07.807792902 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:07.807988882 CET | 49735 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:07.808007002 CET | 443 | 49735 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.287247896 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.287296057 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.287388086 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.287724972 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.287743092 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.760435104 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.760534048 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.761955023 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.761979103 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.762368917 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.776287079 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.777139902 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.777204990 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.777334929 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.777401924 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.777529001 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.777791977 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.777946949 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.777987003 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.778167963 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.778209925 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.778423071 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.778470039 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.778470993 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.778533936 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.778713942 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.778784990 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.778790951 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.778882027 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.778980017 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.779043913 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.779092073 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.779093981 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.779256105 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.786612034 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.786725044 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.786731958 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.786792040 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.786820889 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:08.786935091 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:08.787035942 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.260711908 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.260993004 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.261086941 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.261178017 CET | 49736 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.261221886 CET | 443 | 49736 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.291284084 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.291402102 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.291501045 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.291766882 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.291815996 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.789589882 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.789706945 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.794553995 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.794595003 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.795026064 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:12.796437025 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.796477079 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:12.796544075 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.250654936 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.250787973 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.250864983 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:13.250881910 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.250932932 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.250982046 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:13.250999928 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.251178980 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.251224041 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:13.251240015 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.251352072 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.251409054 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:13.251421928 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.251511097 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.251564026 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:13.251576900 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.251754999 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.251826048 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:13.285259008 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:13.285298109 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Dec 30, 2024 20:40:13.285322905 CET | 49737 | 443 | 192.168.2.4 | 104.21.16.1 |
| Dec 30, 2024 20:40:13.285340071 CET | 443 | 49737 | 104.21.16.1 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 30, 2024 20:40:00.254085064 CET | 61696 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 30, 2024 20:40:00.271703005 CET | 53 | 61696 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 30, 2024 20:40:00.254085064 CET | 192.168.2.4 | 1.1.1.1 | 0x35ce | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 30, 2024 20:40:00.271703005 CET | 1.1.1.1 | 192.168.2.4 | 0x35ce | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:40:00.271703005 CET | 1.1.1.1 | 192.168.2.4 | 0x35ce | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:40:00.271703005 CET | 1.1.1.1 | 192.168.2.4 | 0x35ce | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:40:00.271703005 CET | 1.1.1.1 | 192.168.2.4 | 0x35ce | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:40:00.271703005 CET | 1.1.1.1 | 192.168.2.4 | 0x35ce | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:40:00.271703005 CET | 1.1.1.1 | 192.168.2.4 | 0x35ce | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:40:00.271703005 CET | 1.1.1.1 | 192.168.2.4 | 0x35ce | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.21.16.1 | 443 | 7400 | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:40:00 UTC | 264 | OUT | |
| 2024-12-30 19:40:00 UTC | 8 | OUT | |
| 2024-12-30 19:40:01 UTC | 1131 | IN | |
| 2024-12-30 19:40:01 UTC | 7 | IN | |
| 2024-12-30 19:40:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 104.21.16.1 | 443 | 7400 | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:40:01 UTC | 265 | OUT | |
| 2024-12-30 19:40:01 UTC | 51 | OUT | |
| 2024-12-30 19:40:02 UTC | 1129 | IN | |
| 2024-12-30 19:40:02 UTC | 240 | IN | |
| 2024-12-30 19:40:02 UTC | 1369 | IN | |
| 2024-12-30 19:40:02 UTC | 1369 | IN | |
| 2024-12-30 19:40:02 UTC | 159 | IN | |
| 2024-12-30 19:40:02 UTC | 1369 | IN | |
| 2024-12-30 19:40:02 UTC | 1369 | IN | |
| 2024-12-30 19:40:02 UTC | 1369 | IN | |
| 2024-12-30 19:40:02 UTC | 1369 | IN | |
| 2024-12-30 19:40:02 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 104.21.16.1 | 443 | 7400 | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:40:03 UTC | 281 | OUT | |
| 2024-12-30 19:40:03 UTC | 15331 | OUT | |
| 2024-12-30 19:40:03 UTC | 2824 | OUT | |
| 2024-12-30 19:40:04 UTC | 1140 | IN | |
| 2024-12-30 19:40:04 UTC | 20 | IN | |
| 2024-12-30 19:40:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 104.21.16.1 | 443 | 7400 | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:40:04 UTC | 280 | OUT | |
| 2024-12-30 19:40:04 UTC | 8776 | OUT | |
| 2024-12-30 19:40:05 UTC | 1129 | IN | |
| 2024-12-30 19:40:05 UTC | 20 | IN | |
| 2024-12-30 19:40:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 104.21.16.1 | 443 | 7400 | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:40:05 UTC | 282 | OUT | |
| 2024-12-30 19:40:05 UTC | 15331 | OUT | |
| 2024-12-30 19:40:05 UTC | 5104 | OUT | |
| 2024-12-30 19:40:06 UTC | 1131 | IN | |
| 2024-12-30 19:40:06 UTC | 20 | IN | |
| 2024-12-30 19:40:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 104.21.16.1 | 443 | 7400 | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:40:07 UTC | 281 | OUT | |
| 2024-12-30 19:40:07 UTC | 1272 | OUT | |
| 2024-12-30 19:40:07 UTC | 1128 | IN | |
| 2024-12-30 19:40:07 UTC | 20 | IN | |
| 2024-12-30 19:40:07 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 104.21.16.1 | 443 | 7400 | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:40:08 UTC | 284 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:08 UTC | 15331 | OUT | |
| 2024-12-30 19:40:12 UTC | 1137 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49737 | 104.21.16.1 | 443 | 7400 | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:40:12 UTC | 265 | OUT | |
| 2024-12-30 19:40:12 UTC | 86 | OUT | |
| 2024-12-30 19:40:13 UTC | 1133 | IN | |
| 2024-12-30 19:40:13 UTC | 236 | IN | |
| 2024-12-30 19:40:13 UTC | 1369 | IN | |
| 2024-12-30 19:40:13 UTC | 1369 | IN | |
| 2024-12-30 19:40:13 UTC | 1369 | IN | |
| 2024-12-30 19:40:13 UTC | 1369 | IN | |
| 2024-12-30 19:40:13 UTC | 1369 | IN | |
| 2024-12-30 19:40:13 UTC | 1369 | IN | |
| 2024-12-30 19:40:13 UTC | 1369 | IN | |
| 2024-12-30 19:40:13 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:39:58 |
| Start date: | 30/12/2024 |
| Path: | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xaf0000 |
| File size: | 834'048 bytes |
| MD5 hash: | A15EBBC7798933DC1D436B59600F3ACA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 14:39:58 |
| Start date: | 30/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 14:39:59 |
| Start date: | 30/12/2024 |
| Path: | C:\Users\user\Desktop\AquaDiscord-2.0.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xaf0000 |
| File size: | 834'048 bytes |
| MD5 hash: | A15EBBC7798933DC1D436B59600F3ACA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 8.1% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 1.1% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 28 |
Graph
Function 00B2019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF1C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108libraryfileloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B06602 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B06DEA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF1DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B07268 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B07152 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF2010 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B05677 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF14C0 Relevance: 1.8, APIs: 1, Instructions: 308COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B077F7 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF8530 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B056B1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF20C0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0B177 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B03400 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0B759 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF9A33 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFA2F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0ACF0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF969B Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0B6A8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0AFB0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFDDA2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0B0D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0B27D Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF9A27 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B06FE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF1BA0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B08576 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B12E5C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B04D0C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFF1B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0F670 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0B536 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFC9D2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0C92E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0A0E6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B05130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0499C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5.8% |
| Dynamic/Decrypted Code Coverage: | 4.4% |
| Signature Coverage: | 48.3% |
| Total number of Nodes: | 362 |
| Total number of Limit Nodes: | 34 |
Graph
Function 00411920 Relevance: 105.2, APIs: 5, Strings: 54, Instructions: 1942COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439B30 Relevance: 25.2, APIs: 11, Strings: 3, Instructions: 736memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05141000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004087B0 Relevance: 7.7, APIs: 5, Instructions: 225threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CEC7 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441F50 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D2FF Relevance: 1.6, APIs: 1, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CFDB Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EEC0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420830 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440ED0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426B80 Relevance: .4, Instructions: 426COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F23F Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FAEB Relevance: 3.0, APIs: 2, Instructions: 16COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438974 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EE40 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F100 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004330A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D010 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C880 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C8B3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CFF0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434280 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 134clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427050 Relevance: 10.5, Strings: 8, Instructions: 498COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004096B0 Relevance: 9.1, Strings: 7, Instructions: 385COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004162D2 Relevance: 9.1, Strings: 7, Instructions: 340COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0A9F7 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420130 Relevance: 6.8, Strings: 5, Instructions: 500COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CC46 Relevance: 6.5, Strings: 5, Instructions: 211COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CE63 Relevance: 6.5, Strings: 5, Instructions: 209COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B03400 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF9A33 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AA81 Relevance: 4.2, Strings: 3, Instructions: 488COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421600 Relevance: 4.1, Strings: 3, Instructions: 326COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417FBC Relevance: 4.1, Strings: 3, Instructions: 325COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413D50 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408FE0 Relevance: 2.8, Strings: 2, Instructions: 286COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BC0F Relevance: 2.7, Strings: 2, Instructions: 171COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BBCB Relevance: 2.7, Strings: 2, Instructions: 152COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BB79 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D9A0 Relevance: 1.9, Strings: 1, Instructions: 626COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423E62 Relevance: 1.7, Strings: 1, Instructions: 467COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421980 Relevance: 1.7, Strings: 1, Instructions: 457COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A660 Relevance: 1.7, Strings: 1, Instructions: 453COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416914 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AD70 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B1E0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B8D4 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F10 Relevance: .7, Instructions: 664COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407470 Relevance: .6, Instructions: 608COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405910 Relevance: .4, Instructions: 448COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428D4A Relevance: .4, Instructions: 375COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CD40 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D560 Relevance: .2, Instructions: 243COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402530 Relevance: .2, Instructions: 239COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427879 Relevance: .2, Instructions: 173COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427030 Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423D10 Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436320 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AA70 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F6E3 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EAF2 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BDB9 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043323E Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 166memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043397C Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 162memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF1C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B14192 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B08576 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B06602 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B12E5C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B04D0C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFF1B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B06DEA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0F670 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0B536 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFC9D2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0C92E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AFA2F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B05130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B0499C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AF1DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|