Edit tour
Windows
Analysis Report
Launcher.exe
Overview
General Information
| Sample name: | Launcher.exe |
| Analysis ID: | 1582532 |
| MD5: | 5bef55977a460a2162dd7f670b4a766a |
| SHA1: | a3757f1cc17b9a534a2794345cf83c9b72a69aa5 |
| SHA256: | 01847c8093c8715c282033512e67d57aafad3c787849a121f621ec9f04214340 |
| Tags: | exeLummaStealeruser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Launcher.exe (PID: 6048 cmdline: "C:\Users\ user\Deskt op\Launche r.exe" MD5: 5BEF55977A460A2162DD7F670B4A766A) 
conhost.exe (PID: 6472 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Launcher.exe (PID: 7044 cmdline:
"C:\Users\ user\Deskt op\Launche r.exe" MD5: 5BEF55977A460A2162DD7F670B4A766A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["tirepublicerj.shop", "fancywaxxers.shop", "wholersorie.shop", "abruptyopsn.shop", "rabidcowse.shop", "noisycuttej.shop", "nearycrepso.shop", "cloudewahsj.shop", "framekgirus.shop"], "Build id": "yau6Na--622914791"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:42:00.878009+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49699 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:01.944538+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49700 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:03.140784+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49701 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:04.207164+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49702 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:06.012966+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49703 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:07.575625+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49704 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:09.077797+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49705 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:11.256883+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49706 | 104.21.96.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:42:01.380600+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49699 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:02.417442+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:11.727704+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49706 | 104.21.96.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:42:01.380600+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49699 | 104.21.96.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:42:02.417442+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 104.21.96.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:42:08.104779+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49704 | 104.21.96.1 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_001281F8 | |
| Source: | Code function: | 0_2_001282A9 | |
| Source: | Code function: | 3_2_001281F8 | |
| Source: | Code function: | 3_2_001282A9 | |
| Source: | Code function: | 3_2_0043E043 | |
| Source: | Code function: | 3_2_0043E1E1 | |
| Source: | Code function: | 3_2_0042D5B5 | |
| Source: | Code function: | 3_2_0042C601 | |
| Source: | Code function: | 3_2_0043D962 | |
| Source: | Code function: | 3_2_0040B9B5 | |
| Source: | Code function: | 3_2_0043FA20 | |
| Source: | Code function: | 3_2_00426B60 | |
| Source: | Code function: | 3_2_00426B60 | |
| Source: | Code function: | 3_2_0040AB30 | |
| Source: | Code function: | 3_2_0043BDD0 | |
| Source: | Code function: | 3_2_0043BDD0 | |
| Source: | Code function: | 3_2_0040DF42 | |
| Source: | Code function: | 3_2_0041F040 | |
| Source: | Code function: | 3_2_0043C020 | |
| Source: | Code function: | 3_2_004170CA | |
| Source: | Code function: | 3_2_004170CA | |
| Source: | Code function: | 3_2_0041D0EC | |
| Source: | Code function: | 3_2_004400B0 | |
| Source: | Code function: | 3_2_0041C11B | |
| Source: | Code function: | 3_2_00429129 | |
| Source: | Code function: | 3_2_0043D25E | |
| Source: | Code function: | 3_2_0043C210 | |
| Source: | Code function: | 3_2_00429129 | |
| Source: | Code function: | 3_2_004264D7 | |
| Source: | Code function: | 3_2_0043E4E1 | |
| Source: | Code function: | 3_2_004074F0 | |
| Source: | Code function: | 3_2_004074F0 | |
| Source: | Code function: | 3_2_0043C540 | |
| Source: | Code function: | 3_2_0041D50B | |
| Source: | Code function: | 3_2_00439520 | |
| Source: | Code function: | 3_2_00439520 | |
| Source: | Code function: | 3_2_00439520 | |
| Source: | Code function: | 3_2_0042E5EF | |
| Source: | Code function: | 3_2_0041958C | |
| Source: | Code function: | 3_2_0042C607 | |
| Source: | Code function: | 3_2_0041E630 | |
| Source: | Code function: | 3_2_00409770 | |
| Source: | Code function: | 3_2_00409770 | |
| Source: | Code function: | 3_2_00409770 | |
| Source: | Code function: | 3_2_004257D0 | |
| Source: | Code function: | 3_2_004257D0 | |
| Source: | Code function: | 3_2_0040A7EC | |
| Source: | Code function: | 3_2_00429862 | |
| Source: | Code function: | 3_2_00429862 | |
| Source: | Code function: | 3_2_0041B83D | |
| Source: | Code function: | 3_2_00405960 | |
| Source: | Code function: | 3_2_00405960 | |
| Source: | Code function: | 3_2_0040C9D1 | |
| Source: | Code function: | 3_2_004209F0 | |
| Source: | Code function: | 3_2_004189FD | |
| Source: | Code function: | 3_2_0042AAA0 | |
| Source: | Code function: | 3_2_00435B00 | |
| Source: | Code function: | 3_2_0040DBE5 | |
| Source: | Code function: | 3_2_00402B90 | |
| Source: | Code function: | 3_2_0043FD30 | |
| Source: | Code function: | 3_2_00428DA0 | |
| Source: | Code function: | 3_2_00428DA0 | |
| Source: | Code function: | 3_2_00429E60 | |
| Source: | Code function: | 3_2_00427E69 | |
| Source: | Code function: | 3_2_0041CE98 | |
| Source: | Code function: | 3_2_0042BEA2 | |
| Source: | Code function: | 3_2_0041CEB5 | |
| Source: | Code function: | 3_2_00415F48 | |
| Source: | Code function: | 3_2_0040AFC0 | |
| Source: | Code function: | 3_2_0042AFD0 | |
| Source: | Code function: | 3_2_00423FF2 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_00432FF0 | |
| Source: | Code function: | 3_2_05731000 | |
| Source: | Code function: | 3_2_00432FF0 | |
| Source: | Code function: | 3_2_004341B0 | |
| Source: | Code function: | 0_2_00120060 | |
| Source: | Code function: | 0_2_00116127 | |
| Source: | Code function: | 0_2_0012B59E | |
| Source: | Code function: | 0_2_0011A982 | |
| Source: | Code function: | 0_2_0012BD99 | |
| Source: | Code function: | 0_2_0012DFE2 | |
| Source: | Code function: | 3_2_00120060 | |
| Source: | Code function: | 3_2_00116127 | |
| Source: | Code function: | 3_2_0012B59E | |
| Source: | Code function: | 3_2_0011A982 | |
| Source: | Code function: | 3_2_0012BD99 | |
| Source: | Code function: | 3_2_0012DFE2 | |
| Source: | Code function: | 3_2_0040D37F | |
| Source: | Code function: | 3_2_004213D0 | |
| Source: | Code function: | 3_2_00440440 | |
| Source: | Code function: | 3_2_00423450 | |
| Source: | Code function: | 3_2_0041050E | |
| Source: | Code function: | 3_2_0040C586 | |
| Source: | Code function: | 3_2_004086D0 | |
| Source: | Code function: | 3_2_004227AF | |
| Source: | Code function: | 3_2_004388E0 | |
| Source: | Code function: | 3_2_0043FA20 | |
| Source: | Code function: | 3_2_00426B60 | |
| Source: | Code function: | 3_2_0040AB30 | |
| Source: | Code function: | 3_2_00411B90 | |
| Source: | Code function: | 3_2_0042CE11 | |
| Source: | Code function: | 3_2_00422E22 | |
| Source: | Code function: | 3_2_00422070 | |
| Source: | Code function: | 3_2_004170CA | |
| Source: | Code function: | 3_2_0042A0E0 | |
| Source: | Code function: | 3_2_004400B0 | |
| Source: | Code function: | 3_2_0042D150 | |
| Source: | Code function: | 3_2_0043F110 | |
| Source: | Code function: | 3_2_0041E120 | |
| Source: | Code function: | 3_2_00429129 | |
| Source: | Code function: | 3_2_00426130 | |
| Source: | Code function: | 3_2_0043F1C0 | |
| Source: | Code function: | 3_2_00414250 | |
| Source: | Code function: | 3_2_0043D25E | |
| Source: | Code function: | 3_2_0043F260 | |
| Source: | Code function: | 3_2_00439260 | |
| Source: | Code function: | 3_2_00406270 | |
| Source: | Code function: | 3_2_0042F23E | |
| Source: | Code function: | 3_2_004312C0 | |
| Source: | Code function: | 3_2_0042C2C6 | |
| Source: | Code function: | 3_2_004042D0 | |
| Source: | Code function: | 3_2_00443288 | |
| Source: | Code function: | 3_2_004092B0 | |
| Source: | Code function: | 3_2_0042C31F | |
| Source: | Code function: | 3_2_00416322 | |
| Source: | Code function: | 3_2_00429129 | |
| Source: | Code function: | 3_2_00436455 | |
| Source: | Code function: | 3_2_0043D45C | |
| Source: | Code function: | 3_2_0041E430 | |
| Source: | Code function: | 3_2_004264D7 | |
| Source: | Code function: | 3_2_004074F0 | |
| Source: | Code function: | 3_2_0043C540 | |
| Source: | Code function: | 3_2_00439520 | |
| Source: | Code function: | 3_2_00438590 | |
| Source: | Code function: | 3_2_0041E630 | |
| Source: | Code function: | 3_2_0042C6D9 | |
| Source: | Code function: | 3_2_0041C6F8 | |
| Source: | Code function: | 3_2_0041F690 | |
| Source: | Code function: | 3_2_00409770 | |
| Source: | Code function: | 3_2_00406700 | |
| Source: | Code function: | 3_2_004257D0 | |
| Source: | Code function: | 3_2_004307EF | |
| Source: | Code function: | 3_2_0042C7B2 | |
| Source: | Code function: | 3_2_00429862 | |
| Source: | Code function: | 3_2_00416322 | |
| Source: | Code function: | 3_2_0042D819 | |
| Source: | Code function: | 3_2_004288D4 | |
| Source: | Code function: | 3_2_0043E8F6 | |
| Source: | Code function: | 3_2_004368FE | |
| Source: | Code function: | 3_2_00405960 | |
| Source: | Code function: | 3_2_00403920 | |
| Source: | Code function: | 3_2_004209F0 | |
| Source: | Code function: | 3_2_004189FD | |
| Source: | Code function: | 3_2_00408A40 | |
| Source: | Code function: | 3_2_0041DA40 | |
| Source: | Code function: | 3_2_00425A7F | |
| Source: | Code function: | 3_2_00423A90 | |
| Source: | Code function: | 3_2_00419B00 | |
| Source: | Code function: | 3_2_0041ABC0 | |
| Source: | Code function: | 3_2_00439C57 | |
| Source: | Code function: | 3_2_00404C60 | |
| Source: | Code function: | 3_2_00416C2F | |
| Source: | Code function: | 3_2_00423D50 | |
| Source: | Code function: | 3_2_00432D70 | |
| Source: | Code function: | 3_2_0041DD10 | |
| Source: | Code function: | 3_2_0043FD30 | |
| Source: | Code function: | 3_2_0041BDF0 | |
| Source: | Code function: | 3_2_00428DA0 | |
| Source: | Code function: | 3_2_00427E69 | |
| Source: | Code function: | 3_2_0040DE26 | |
| Source: | Code function: | 3_2_0041AEC0 | |
| Source: | Code function: | 3_2_00405EB0 | |
| Source: | Code function: | 3_2_0043EEB0 | |
| Source: | Code function: | 3_2_00402F00 | |
| Source: | Code function: | 3_2_00426F10 | |
| Source: | Code function: | 3_2_00437F10 | |
| Source: | Code function: | 3_2_00426F30 | |
| Source: | Code function: | 3_2_0040AFC0 | |
| Source: | Code function: | 3_2_0042AFD0 | |
| Source: | Code function: | 3_2_00408FE0 | |
| Source: | Code function: | 3_2_00423FF2 | |
| Source: | Code function: | 3_2_00417F96 | |
| Source: | Code function: | 3_2_0043EFA0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_004388E0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00116776 | |
| Source: | Code function: | 3_2_00116776 | |
| Source: | Code function: | 3_2_0043C17E | |
| Source: | Code function: | 3_2_0044537E | |
| Source: | Code function: | 3_2_00446384 | |
| Source: | Code function: | 3_2_004467A4 | |
| Source: | Code function: | 3_2_0043EE62 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-21492 | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_001281F8 | |
| Source: | Code function: | 0_2_001282A9 | |
| Source: | Code function: | 3_2_001281F8 | |
| Source: | Code function: | 3_2_001282A9 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_3-34678 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_0043D810 | |
| Source: | Code function: | 0_2_001164BF | |
| Source: | Code function: | 0_2_0014519E | |
| Source: | Code function: | 0_2_00101BA0 | |
| Source: | Code function: | 3_2_00101BA0 | |
| Source: | Code function: | 0_2_00123BE0 | |
| Source: | Code function: | 0_2_001160FF | |
| Source: | Code function: | 0_2_001164B3 | |
| Source: | Code function: | 0_2_001164BF | |
| Source: | Code function: | 0_2_0011E600 | |
| Source: | Code function: | 3_2_001160FF | |
| Source: | Code function: | 3_2_001164B3 | |
| Source: | Code function: | 3_2_001164BF | |
| Source: | Code function: | 3_2_0011E600 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_0014519E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 3_2_00438170 | |
| Source: | Code function: | 0_2_001234BD | |
| Source: | Code function: | 0_2_00127547 | |
| Source: | Code function: | 0_2_00127798 | |
| Source: | Code function: | 0_2_00127840 | |
| Source: | Code function: | 0_2_00127A93 | |
| Source: | Code function: | 0_2_00127B00 | |
| Source: | Code function: | 0_2_00127BD5 | |
| Source: | Code function: | 0_2_00127C20 | |
| Source: | Code function: | 0_2_00127CC7 | |
| Source: | Code function: | 0_2_00127DCD | |
| Source: | Code function: | 0_2_00122FB5 | |
| Source: | Code function: | 3_2_001234BD | |
| Source: | Code function: | 3_2_00127547 | |
| Source: | Code function: | 3_2_00127798 | |
| Source: | Code function: | 3_2_00127840 | |
| Source: | Code function: | 3_2_00127A93 | |
| Source: | Code function: | 3_2_00127B00 | |
| Source: | Code function: | 3_2_00127BD5 | |
| Source: | Code function: | 3_2_00127C20 | |
| Source: | Code function: | 3_2_00127CC7 | |
| Source: | Code function: | 3_2_00127DCD | |
| Source: | Code function: | 3_2_00122FB5 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00116AB4 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 241 Security Software Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | 3 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 11 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 43 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 50% | ReversingLabs | Win32.Trojan.CrypterX | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fancywaxxers.shop | 104.21.96.1 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.96.1 | fancywaxxers.shop | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1582532 |
| Start date and time: | 2024-12-30 20:41:09 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 8s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 14 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Launcher.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Launcher.exe
| Time | Type | Description |
|---|---|---|
| 14:42:00 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.96.1 | Get hash | malicious | CMSBrute | Browse |
| |
| Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fancywaxxers.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | KnowBe4 | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.7267311733579325 |
| TrID: |
|
| File name: | Launcher.exe |
| File size: | 913'920 bytes |
| MD5: | 5bef55977a460a2162dd7f670b4a766a |
| SHA1: | a3757f1cc17b9a534a2794345cf83c9b72a69aa5 |
| SHA256: | 01847c8093c8715c282033512e67d57aafad3c787849a121f621ec9f04214340 |
| SHA512: | d1a39e2556524e4f14e46f4eb208d9060ebea67832b50b9c035959fabd93757c2711e94e64b25807b65da03e3e280052b0adf6e78f3f7ba286dbd49ecf188c80 |
| SSDEEP: | 24576:oGEZcUhkBQQb/GVD47cFMOqTfnb/GVD47cFMOqTfI:oG0cUhkqA/G6lfb/G6lfI |
| TLSH: | BE15F1027591C0B3C87311B719BEDB69592EA6000B526ADF67880EFEDF706C19931F7A |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Mqg.................&...\.......n............@..........................`............@.....................................<.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x416ea0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67714D83 [Sun Dec 29 13:24:19 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 588987af4e159ab133c2fd81ab21d6c3 |
| Instruction |
|---|
| call 00007F39A8B4853Ah |
| jmp 00007F39A8B4839Dh |
| mov ecx, dword ptr [00446C40h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F39A8B48536h |
| test esi, ecx |
| jne 00007F39A8B48558h |
| call 00007F39A8B48561h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F39A8B48539h |
| mov ecx, BB40E64Fh |
| jmp 00007F39A8B48540h |
| test esi, ecx |
| jne 00007F39A8B4853Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [00446C40h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [00446C80h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [0044186Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00441828h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [00441824h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [004418BCh] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 00448318h |
| call dword ptr [00441894h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x41608 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4a000 | 0xe8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4b000 | 0x2724 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x3d300 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x35e38 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x417b8 | 0x174 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3245a | 0x32600 | c4549430d24610c92b37bed6473270d7 | False | 0.4947755117866005 | data | 6.4148411499579145 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x34000 | 0x103dc | 0x10400 | 8f41f0a4477466e083dd1225271b1fed | False | 0.4734675480769231 | DOS executable (COM) | 5.262841422439912 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x45000 | 0x3ae0 | 0x2c00 | 41abedb3cd61d6efee59d0f1e4be6075 | False | 0.27885298295454547 | data | 5.101110177853289 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x49000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x4a000 | 0xe8 | 0x200 | 9ba0e63b56b364ddba7264c6ed8b3c7f | False | 0.306640625 | data | 2.341009454357875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x4b000 | 0x2724 | 0x2800 | 8bb45e0eca6ae0cfb6acb30c1d288b24 | False | 0.74765625 | data | 6.507988645199514 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .BSS | 0x4e000 | 0x4b400 | 0x4b400 | da2f40653873a2558249cc49e741dfde | False | 1.0003276837624584 | data | 7.999448087845865 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .BSS | 0x9a000 | 0x4b400 | 0x4b400 | da2f40653873a2558249cc49e741dfde | False | 1.0003276837624584 | data | 7.999448087845865 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x4a060 | 0x87 | XML 1.0 document, ASCII text | English | United States | 0.8222222222222222 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | EndPage, GetMetaFileBitsEx |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-30T20:42:00.878009+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49699 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:01.380600+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49699 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:01.380600+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49699 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:01.944538+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49700 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:02.417442+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.7 | 49700 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:02.417442+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49700 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:03.140784+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49701 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:04.207164+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49702 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:06.012966+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49703 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:07.575625+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49704 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:08.104779+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.7 | 49704 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:09.077797+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49705 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:11.256883+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49706 | 104.21.96.1 | 443 | TCP |
| 2024-12-30T20:42:11.727704+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49706 | 104.21.96.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 30, 2024 20:42:00.392918110 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:00.392950058 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:00.393021107 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:00.395648956 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:00.395662069 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:00.877901077 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:00.878009081 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:00.881639957 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:00.881649971 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:00.881995916 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:00.933140993 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:00.933159113 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:00.933258057 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.380620003 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.380727053 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.380800962 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.426353931 CET | 49699 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.426378012 CET | 443 | 49699 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.457901955 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.457952976 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.458122969 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.466888905 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.466908932 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.944382906 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.944538116 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.945768118 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.945781946 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.946026087 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:01.947276115 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.947307110 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:01.947355032 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.417443037 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.417519093 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.417546988 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.417577982 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.417604923 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.417651892 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.417660952 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.418078899 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.418131113 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.418138981 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.418314934 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.418346882 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.418363094 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.418371916 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.418416023 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.422988892 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.468408108 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.468430042 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.515064955 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.516253948 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.516314030 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.516346931 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.516422033 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.516438007 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.516454935 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.516485929 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.516521931 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.516760111 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.516777992 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.516789913 CET | 49700 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.516796112 CET | 443 | 49700 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.670530081 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.670576096 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:02.670686007 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.671406984 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:02.671422958 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.140687943 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.140784025 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.142124891 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.142133951 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.142365932 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.143603086 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.143727064 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.143757105 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.665294886 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.665397882 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.665452003 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.665632010 CET | 49701 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.665652037 CET | 443 | 49701 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.747971058 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.748020887 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:03.748104095 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.748437881 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:03.748457909 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.207081079 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.207164049 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.257595062 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.257613897 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.257879972 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.259813070 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.260047913 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.260085106 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.260135889 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.307336092 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.760818005 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.760914087 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.761009932 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.761132956 CET | 49702 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.761156082 CET | 443 | 49702 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.974363089 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.974410057 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:04.974471092 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.974776030 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:04.974791050 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:06.012846947 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:06.012965918 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:06.014328003 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:06.014334917 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:06.014563084 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:06.017390013 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:06.017538071 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:06.017564058 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:06.017620087 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:06.017627954 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:06.652585030 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:06.652698040 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:06.652749062 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:06.652848005 CET | 49703 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:06.652863979 CET | 443 | 49703 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:07.098706007 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:07.098757982 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:07.098851919 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:07.099200964 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:07.099215984 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:07.575467110 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:07.575624943 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:07.576893091 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:07.576911926 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:07.577173948 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:07.587975025 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:07.587975025 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:07.588023901 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:08.104785919 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:08.104897976 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:08.105074883 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:08.105074883 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:08.410489082 CET | 49704 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:08.410521030 CET | 443 | 49704 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:08.621629000 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:08.621690989 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:08.621771097 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:08.622073889 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:08.622088909 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.077734947 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.077796936 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.079197884 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.079212904 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.079525948 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.081028938 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.084134102 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.084171057 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.084278107 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.084315062 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.084434986 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.084489107 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.084615946 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.084645033 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.084800959 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.084830999 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.084984064 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.085024118 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.085033894 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.085176945 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.085215092 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.094486952 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.094650984 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.094691038 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.094707012 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.094724894 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.094727039 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.094743967 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:09.094887972 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.094927073 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.094961882 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:09.099356890 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:10.765532017 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:10.765635014 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:10.765770912 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:10.765824080 CET | 49705 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:10.765850067 CET | 443 | 49705 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:10.774750948 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:10.774799109 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:10.774862051 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:10.775152922 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:10.775168896 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.256717920 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.256882906 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.257946968 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.257957935 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.258189917 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.259319067 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.259342909 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.259383917 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.727714062 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.727761030 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.727791071 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.727817059 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.727818966 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.727840900 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.727973938 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.728332043 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728375912 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.728382111 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728691101 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728717089 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728735924 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.728741884 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728770018 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728784084 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.728789091 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728827000 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.728832960 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728871107 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.728910923 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.729094982 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.729108095 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Dec 30, 2024 20:42:11.729118109 CET | 49706 | 443 | 192.168.2.7 | 104.21.96.1 |
| Dec 30, 2024 20:42:11.729123116 CET | 443 | 49706 | 104.21.96.1 | 192.168.2.7 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 30, 2024 20:42:00.376498938 CET | 51738 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 30, 2024 20:42:00.388092995 CET | 53 | 51738 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 30, 2024 20:42:00.376498938 CET | 192.168.2.7 | 1.1.1.1 | 0x5df5 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 30, 2024 20:42:00.388092995 CET | 1.1.1.1 | 192.168.2.7 | 0x5df5 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:42:00.388092995 CET | 1.1.1.1 | 192.168.2.7 | 0x5df5 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:42:00.388092995 CET | 1.1.1.1 | 192.168.2.7 | 0x5df5 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:42:00.388092995 CET | 1.1.1.1 | 192.168.2.7 | 0x5df5 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:42:00.388092995 CET | 1.1.1.1 | 192.168.2.7 | 0x5df5 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:42:00.388092995 CET | 1.1.1.1 | 192.168.2.7 | 0x5df5 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 30, 2024 20:42:00.388092995 CET | 1.1.1.1 | 192.168.2.7 | 0x5df5 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49699 | 104.21.96.1 | 443 | 7044 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:42:00 UTC | 264 | OUT | |
| 2024-12-30 19:42:00 UTC | 8 | OUT | |
| 2024-12-30 19:42:01 UTC | 1139 | IN | |
| 2024-12-30 19:42:01 UTC | 7 | IN | |
| 2024-12-30 19:42:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49700 | 104.21.96.1 | 443 | 7044 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:42:01 UTC | 265 | OUT | |
| 2024-12-30 19:42:01 UTC | 51 | OUT | |
| 2024-12-30 19:42:02 UTC | 1129 | IN | |
| 2024-12-30 19:42:02 UTC | 240 | IN | |
| 2024-12-30 19:42:02 UTC | 1369 | IN | |
| 2024-12-30 19:42:02 UTC | 1369 | IN | |
| 2024-12-30 19:42:02 UTC | 175 | IN | |
| 2024-12-30 19:42:02 UTC | 1369 | IN | |
| 2024-12-30 19:42:02 UTC | 1369 | IN | |
| 2024-12-30 19:42:02 UTC | 1369 | IN | |
| 2024-12-30 19:42:02 UTC | 1369 | IN | |
| 2024-12-30 19:42:02 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49701 | 104.21.96.1 | 443 | 7044 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:42:03 UTC | 283 | OUT | |
| 2024-12-30 19:42:03 UTC | 12848 | OUT | |
| 2024-12-30 19:42:03 UTC | 1131 | IN | |
| 2024-12-30 19:42:03 UTC | 20 | IN | |
| 2024-12-30 19:42:03 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49702 | 104.21.96.1 | 443 | 7044 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:42:04 UTC | 278 | OUT | |
| 2024-12-30 19:42:04 UTC | 15050 | OUT | |
| 2024-12-30 19:42:04 UTC | 1135 | IN | |
| 2024-12-30 19:42:04 UTC | 20 | IN | |
| 2024-12-30 19:42:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 49703 | 104.21.96.1 | 443 | 7044 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:42:06 UTC | 273 | OUT | |
| 2024-12-30 19:42:06 UTC | 15331 | OUT | |
| 2024-12-30 19:42:06 UTC | 5014 | OUT | |
| 2024-12-30 19:42:06 UTC | 1136 | IN | |
| 2024-12-30 19:42:06 UTC | 20 | IN | |
| 2024-12-30 19:42:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 49704 | 104.21.96.1 | 443 | 7044 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:42:07 UTC | 283 | OUT | |
| 2024-12-30 19:42:07 UTC | 1229 | OUT | |
| 2024-12-30 19:42:08 UTC | 1128 | IN | |
| 2024-12-30 19:42:08 UTC | 20 | IN | |
| 2024-12-30 19:42:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 49705 | 104.21.96.1 | 443 | 7044 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:42:09 UTC | 285 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:09 UTC | 15331 | OUT | |
| 2024-12-30 19:42:10 UTC | 1137 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.7 | 49706 | 104.21.96.1 | 443 | 7044 | C:\Users\user\Desktop\Launcher.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-30 19:42:11 UTC | 265 | OUT | |
| 2024-12-30 19:42:11 UTC | 86 | OUT | |
| 2024-12-30 19:42:11 UTC | 1137 | IN | |
| 2024-12-30 19:42:11 UTC | 232 | IN | |
| 2024-12-30 19:42:11 UTC | 1369 | IN | |
| 2024-12-30 19:42:11 UTC | 1369 | IN | |
| 2024-12-30 19:42:11 UTC | 1369 | IN | |
| 2024-12-30 19:42:11 UTC | 1369 | IN | |
| 2024-12-30 19:42:11 UTC | 1369 | IN | |
| 2024-12-30 19:42:11 UTC | 1369 | IN | |
| 2024-12-30 19:42:11 UTC | 1369 | IN | |
| 2024-12-30 19:42:11 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:41:59 |
| Start date: | 30/12/2024 |
| Path: | C:\Users\user\Desktop\Launcher.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x100000 |
| File size: | 913'920 bytes |
| MD5 hash: | 5BEF55977A460A2162DD7F670B4A766A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 14:41:59 |
| Start date: | 30/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff75da10000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 14:41:59 |
| Start date: | 30/12/2024 |
| Path: | C:\Users\user\Desktop\Launcher.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x100000 |
| File size: | 913'920 bytes |
| MD5 hash: | 5BEF55977A460A2162DD7F670B4A766A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 7.7% |
| Dynamic/Decrypted Code Coverage: | 3% |
| Signature Coverage: | 4.1% |
| Total number of Nodes: | 267 |
| Total number of Limit Nodes: | 4 |
Graph
Function 0014519E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00101C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108libraryfileloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00123202 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00101DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00123D52 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00102010 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00122277 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001014C0 Relevance: 1.8, APIs: 1, Instructions: 308COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114C70 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00113390 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00102210 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001235B4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001222B1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0010F670 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00127CC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00120060 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001282A9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001164BF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00127840 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001281F8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00127B00 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011A982 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00127C20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00127DCD Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001164B3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00123BE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012BD99 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00101BA0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00125176 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116A80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0013097C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012190E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011BD98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001239EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115D01 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012D190 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00128086 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001195B2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012947E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116EF5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00126C36 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00121D32 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012159E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5% |
| Dynamic/Decrypted Code Coverage: | 6.3% |
| Signature Coverage: | 43.1% |
| Total number of Nodes: | 253 |
| Total number of Limit Nodes: | 21 |
Graph
Function 00411B90 Relevance: 175.5, APIs: 3, Strings: 96, Instructions: 2214COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004388E0 Relevance: 25.3, APIs: 11, Strings: 3, Instructions: 787memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 05731000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B9B5 Relevance: 12.6, Strings: 10, Instructions: 105COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004086D0 Relevance: 7.7, APIs: 5, Instructions: 212threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AB30 Relevance: 5.4, Strings: 4, Instructions: 371COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C607 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C601 Relevance: 3.1, APIs: 2, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426B60 Relevance: 2.8, Strings: 2, Instructions: 325COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041050E Relevance: 2.3, APIs: 1, Instructions: 802COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E5EF Relevance: 1.6, APIs: 1, Instructions: 79COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D962 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D810 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E043 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E1E1 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FA20 Relevance: .3, Instructions: 308COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BDD0 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D5B5 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CBF6 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C918 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D7A0 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004327A3 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EBBE Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BD90 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CD97 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D991 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043BD70 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423FF2 Relevance: 20.9, Strings: 16, Instructions: 907COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041E630 Relevance: 12.1, Strings: 9, Instructions: 830COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409770 Relevance: 10.4, Strings: 8, Instructions: 365COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438170 Relevance: 8.9, Strings: 7, Instructions: 186COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00127CC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00120060 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001282A9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001164BF Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004257D0 Relevance: 5.6, Strings: 4, Instructions: 643COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004264D7 Relevance: 5.4, Strings: 4, Instructions: 436COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CE98 Relevance: 5.2, Strings: 4, Instructions: 211COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CEB5 Relevance: 5.2, Strings: 4, Instructions: 202COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DBE5 Relevance: 5.1, Strings: 4, Instructions: 147COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004189FD Relevance: 4.7, Strings: 3, Instructions: 979COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C540 Relevance: 4.5, Strings: 3, Instructions: 718COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041C11B Relevance: 4.0, Strings: 3, Instructions: 253COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AFC0 Relevance: 3.1, Strings: 2, Instructions: 561COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B83D Relevance: 2.6, Strings: 2, Instructions: 130COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C9D1 Relevance: 2.6, Strings: 2, Instructions: 115COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429862 Relevance: 1.8, APIs: 1, Instructions: 279COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439520 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AFD0 Relevance: 1.7, Strings: 1, Instructions: 413COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041958C Relevance: 1.6, Strings: 1, Instructions: 326COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428DA0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D25E Relevance: 1.4, Strings: 1, Instructions: 131COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A7EC Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429129 Relevance: .6, Instructions: 629COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004074F0 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004209F0 Relevance: .5, Instructions: 461COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405960 Relevance: .4, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D0EC Relevance: .4, Instructions: 432COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D50B Relevance: .4, Instructions: 415COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004400B0 Relevance: .3, Instructions: 344COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FD30 Relevance: .3, Instructions: 339COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C210 Relevance: .2, Instructions: 226COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BEA2 Relevance: .2, Instructions: 222COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F040 Relevance: .2, Instructions: 204COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415F48 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C020 Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435B00 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AAA0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E4E1 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402B90 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00101C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00125176 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00123202 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116A80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0013097C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012190E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E196 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 146libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011BD98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001239EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115D01 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012D190 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00128086 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001195B2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012947E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116EF5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00126C36 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00121D32 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0012159E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00101DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|