Edit tour
Windows
Analysis Report
Active_Setup.exe
Overview
General Information
| Sample name: | Active_Setup.exe |
| Analysis ID: | 1582858 |
| MD5: | e33268982207781838161261e248276b |
| SHA1: | 892974179ab18b8ee149137d16ca595db97500a0 |
| SHA256: | f9af65ed05caa99519eb5083daf6a39c1a467576a1465a4fa44759f861bce244 |
| Tags: | exeLummaStealeruser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Detected non-DNS traffic on DNS port
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Active_Setup.exe (PID: 7284 cmdline: "C:\Users\ user\Deskt op\Active_ Setup.exe" MD5: E33268982207781838161261E248276B)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["cloudewahsj.shop", "tirepublicerj.shop", "rabidcowse.shop", "wholersorie.shop", "abruptyopsn.shop", "nearycrepso.shop", "arisealert.click", "framekgirus.shop", "noisycuttej.shop"], "Build id": "hRjzG3--ZINA"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:11:27.604380+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49700 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:28.570045+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49706 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:29.847065+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49717 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:31.079033+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49728 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:32.510325+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49738 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:36.878824+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49767 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:40.476792+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49793 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:42.356947+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49805 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:45.335160+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49826 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:46.587112+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49832 | 185.161.251.21 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:11:28.102968+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:29.039854+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49706 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:45.808781+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49826 | 104.21.52.90 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:11:28.102968+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 104.21.52.90 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:11:29.039854+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.7 | 49706 | 104.21.52.90 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:11:31.881524+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49728 | 104.21.52.90 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_009CF8DC | |
| Source: | Code function: | 0_2_00C60AA4 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00AAA790 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_3_008817DF | |
| Source: | Code function: | 0_3_0087EC00 | |
| Source: | Code function: | 0_3_00887600 | |
| Source: | Code function: | 0_3_00887241 | |
| Source: | Code function: | 0_2_00ACFE60 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00AA873C | |
| Source: | Code function: | 0_2_00BD6440 | |
| Source: | Code function: | 0_2_00A602E4 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_00870BFD | |
| Source: | Code function: | 0_3_00870BFD | |
| Source: | Code function: | 0_3_0086C355 | |
| Source: | Code function: | 0_3_0086C355 | |
| Source: | Code function: | 0_3_0086CB55 | |
| Source: | Code function: | 0_3_0086CB55 | |
| Source: | Code function: | 0_3_0086CF55 | |
| Source: | Code function: | 0_3_0086CF55 | |
| Source: | Code function: | 0_3_0086C351 | |
| Source: | Code function: | 0_3_0086C351 | |
| Source: | Code function: | 0_3_0086CB51 | |
| Source: | Code function: | 0_3_0086CB51 | |
| Source: | Code function: | 0_3_0086CF51 | |
| Source: | Code function: | 0_3_0086CF51 | |
| Source: | Code function: | 0_3_0086C365 | |
| Source: | Code function: | 0_3_0086C365 | |
| Source: | Code function: | 0_3_0086CB65 | |
| Source: | Code function: | 0_3_0086CB65 | |
| Source: | Code function: | 0_3_0086CF65 | |
| Source: | Code function: | 0_3_0086CF65 | |
| Source: | Code function: | 0_3_0086C361 | |
| Source: | Code function: | 0_3_0086C361 | |
| Source: | Code function: | 0_3_0086CB61 | |
| Source: | Code function: | 0_3_0086CB61 | |
| Source: | Code function: | 0_3_0086CF61 | |
| Source: | Code function: | 0_3_0086CF61 | |
| Source: | Code function: | 0_3_0086C36D | |
| Source: | Code function: | 0_3_0086C36D | |
| Source: | Code function: | 0_3_0086CB6D | |
| Source: | Code function: | 0_3_0086CB6D | |
| Source: | Code function: | 0_3_0086CF6D | |
| Source: | Code function: | 0_2_00C4E1CC | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Code function: | 0_3_008817DF | |
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_009CF8DC | |
| Source: | Code function: | 0_2_00C60AA4 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_3_008817DF | |
| Source: | Code function: | 0_2_00A6C6C0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_009CFA34 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_009EC494 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 Query Registry | Remote Services | 1 Screen Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 241 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 3% | ReversingLabs | |||
| 7% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| cegu.shop | 185.161.251.21 | true | false | high | |
| arisealert.click | 104.21.52.90 | true | true | unknown | |
| 206.23.85.13.in-addr.arpa | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.52.90 | arisealert.click | United States | 13335 | CLOUDFLARENETUS | true | |
| 185.161.251.21 | cegu.shop | United Kingdom | 5089 | NTLGB | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1582858 |
| Start date and time: | 2024-12-31 17:10:23 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 33s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 13 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Active_Setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@3/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 13.85.23.206, 20.109.210.53
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 11:11:27 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.161.251.21 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| cegu.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Titanium Proxy, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Titanium Proxy, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| NTLGB | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 0.8301606363145327 |
| TrID: |
|
| File name: | Active_Setup.exe |
| File size: | 78'065'437 bytes |
| MD5: | e33268982207781838161261e248276b |
| SHA1: | 892974179ab18b8ee149137d16ca595db97500a0 |
| SHA256: | f9af65ed05caa99519eb5083daf6a39c1a467576a1465a4fa44759f861bce244 |
| SHA512: | 8765ded1fed71da6ec40423b3409f11fe1f33ab3651f0be0e2525dd1a8c4f112629a4af883bd75202a81cf2114cfc813320a7e8f4dfaf197ad64d460894b8539 |
| SSDEEP: | 49152:zdJYVM+9JtzgWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLt1RQGDmt1fl8IrA:ZJYVM+LtUt3P/KuG2ONG9iq3RQGAnJrA |
| TLSH: | BA087F97A202FB75CB8A8D3615E3EBC954B77510231186E79ADC364CEE2B4C8073B527 |
| File Content Preview: | MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x6adbf4 |
| Entrypoint Section: | .itext |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6690DABC [Fri Jul 12 07:26:52 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | d6ea28a9f4da0730c2562f3beec87130 |
| Signature Valid: | false |
| Signature Issuer: | CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 4068B1B0494EFA79F5A751DCCA8111CD |
| Thumbprint SHA-1: | 914A09C2E02C696AF394048BCB8D95449BCD5B9E |
| Thumbprint SHA-256: | 4A838904E732A380E2856A9D6FEE926E5C57EB59336292AC5D9E47C9B2C1ED13 |
| Serial: | 33000003DFFB6AE3F427ECB6A30000000003DF |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| push ebx |
| push esi |
| push edi |
| mov eax, 006A1758h |
| call 00007F8DC45B1622h |
| mov eax, dword ptr [006B7ADCh] |
| mov eax, dword ptr [eax] |
| mov eax, dword ptr [eax+00000190h] |
| push FFFFFFECh |
| push eax |
| call 00007F8DC45B5C55h |
| mov edx, dword ptr [006B7ADCh] |
| mov edx, dword ptr [edx] |
| mov edx, dword ptr [edx+00000190h] |
| and eax, FFFFFF7Fh |
| push eax |
| push FFFFFFECh |
| push edx |
| call 00007F8DC45B5C41h |
| xor eax, eax |
| push ebp |
| push 006ADC85h |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| push 00000001h |
| call 00007F8DC45B4F34h |
| call 00007F8DC4840D4Fh |
| mov eax, dword ptr [006A137Ch] |
| push eax |
| push 006A1414h |
| mov eax, dword ptr [006B7ADCh] |
| mov eax, dword ptr [eax] |
| call 00007F8DC474B118h |
| mov eax, 0069C190h |
| mov edx, dword ptr [006B7944h] |
| mov dword ptr [edx], eax |
| call 00007F8DC4840D96h |
| xor eax, eax |
| pop edx |
| pop ecx |
| pop ecx |
| mov dword ptr fs:[eax], edx |
| jmp 00007F8DC484D4FBh |
| jmp 00007F8DC45A942Bh |
| call 00007F8DC4840ADAh |
| mov eax, 00000001h |
| call 00007F8DC45A9F18h |
| call 00007F8DC45A986Fh |
| mov eax, dword ptr [006B7ADCh] |
| mov eax, dword ptr [eax] |
| mov edx, 006ADE18h |
| call 00007F8DC474ABE2h |
| push 00000005h |
| mov eax, dword ptr [006B7ADCh] |
| mov eax, dword ptr [eax] |
| mov eax, dword ptr [eax+00000190h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2c5000 | 0x6e | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2c0000 | 0x3a6a | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x305000 | 0x8da00 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4a70d4d | 0x21d0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2c8000 | 0x3cd44 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x2c7000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2c09f8 | 0x8e0 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x2c4000 | 0xe28 | .didata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2a910c | 0x2a9200 | 636911b28886fbf414dbba8e257d3150 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x2ab000 | 0x2e24 | 0x3000 | 4aadf43ce8bf8e2d71c98187b11e0b7d | False | 0.4940592447916667 | data | 6.150722356110934 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x2ae000 | 0x9e18 | 0xa000 | 9c5114b05054094107967068f16428b9 | False | 0.5979736328125 | data | 6.333690263645768 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0x2b8000 | 0x7cd0 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x2c0000 | 0x3a6a | 0x3c00 | c255c35dc8b2afb5a1e8a0d53ec7a7b6 | False | 0.3244140625 | PDP-11 overlaid pure executable | 5.195700686476652 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didata | 0x2c4000 | 0xe28 | 0x1000 | eb38b8d680c9b49ddcbbfdf40683169f | False | 0.311767578125 | data | 4.032868001403646 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0x2c5000 | 0x6e | 0x200 | 54166a993ddfc95afd7da99ac7579d19 | False | 0.173828125 | data | 1.3044245768916944 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0x2c6000 | 0x58 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x2c7000 | 0x5d | 0x200 | 2bd0b4250f44ecdcc366775e042632aa | False | 0.189453125 | data | 1.3744124358228273 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2c8000 | 0x3cd3c | 0x3ce00 | dfaa7069a9101422af2acb1619b72127 | False | 0.5655520084702259 | data | 6.733343374740925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x305000 | 0x8da00 | 0x8da00 | 076031fba3f2f42f81006b7ba012b1ab | False | 0.389713081972639 | data | 5.30120396773853 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| mpr.dll | WNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW |
| comdlg32.dll | GetSaveFileNameW, GetOpenFileNameW |
| comctl32.dll | FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove |
| shell32.dll | SHBrowseForFolderW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, SHAppBarMessage, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW |
| user32.dll | MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, ScrollWindowEx, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, EnumChildWindows, SendNotifyMessageW, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, ExitWindowsEx, GetClassLongW, SetScrollRange, DrawTextW, CharToOemBuffA, PeekMessageA, MessageBeep, SetClassLongW, SetRectEmpty, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, SendMessageTimeoutW, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetMessageW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, DefMDIChildProcW, WaitForInputIdle, GetSystemMenu, SetScrollPos, GetScrollPos, InflateRect, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, ScreenToClient, DrawFrameControl, BringWindowToTop, SetCursor, CreateIcon, RemoveMenu, AppendMenuW, GetKeyboardLayoutNameW, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, PostQuitMessage, ShowScrollBar, LoadImageW, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu |
| version.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
| oleaut32.dll | SafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd |
| advapi32.dll | RegSetValueExW, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, GetUserNameW, RegQueryInfoKeyW, EqualSid, GetTokenInformation, RegCreateKeyExW, SetSecurityDescriptorDacl, RegEnumKeyExW, AdjustTokenPrivileges, RegDeleteKeyW, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, RegDeleteValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, ConvertSidToStringSidW, RegCloseKey, InitializeSecurityDescriptor |
| msvcrt.dll | memcpy |
| winhttp.dll | WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption |
| kernel32.dll | SetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, SetHandleInformation, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, PeekNamedPipe, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, EnumResourceNamesW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, CreatePipe, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale |
| ole32.dll | StgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID |
| gdi32.dll | Arc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries |
| Name | Ordinal | Address |
|---|---|---|
| __dbk_fcall_wrapper | 2 | 0x411c18 |
| dbkFCallWrapperAddr | 1 | 0x6bb648 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:11:27.604380+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49700 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:28.102968+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49700 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:28.102968+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49700 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:28.570045+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49706 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:29.039854+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.7 | 49706 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:29.039854+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49706 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:29.847065+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49717 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:31.079033+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49728 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:31.881524+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.7 | 49728 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:32.510325+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49738 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:36.878824+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49767 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:40.476792+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49793 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:42.356947+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49805 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:45.335160+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49826 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:45.808781+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49826 | 104.21.52.90 | 443 | TCP |
| 2024-12-31T17:11:46.587112+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49832 | 185.161.251.21 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 31, 2024 17:11:27.124156952 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:27.124195099 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:27.124268055 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:27.129384041 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:27.129399061 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:27.604293108 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:27.604379892 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:27.607237101 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:27.607249975 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:27.607501984 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:27.648782015 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:27.655771971 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:27.655803919 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:27.655910969 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.102979898 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.103059053 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.103105068 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.104562998 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.104583025 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.104595900 CET | 49700 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.104600906 CET | 443 | 49700 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.111840010 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.111861944 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.111922979 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.112704039 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.112715960 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.569854975 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.570044994 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.571373940 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.571391106 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.571717978 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:28.572870016 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.572902918 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:28.572958946 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.039886951 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.039961100 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040004969 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040013075 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.040035963 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040070057 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.040081024 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040127039 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040155888 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040159941 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.040169954 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040203094 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.040352106 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040432930 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.040477037 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.040482998 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.044632912 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.044687033 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.044692993 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.086255074 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.126375914 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.126477003 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.126517057 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.126524925 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.126542091 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.126575947 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.126584053 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.157979012 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.158040047 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.158210993 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.158227921 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.158240080 CET | 49706 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.158245087 CET | 443 | 49706 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.379097939 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.379148006 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.379249096 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.379847050 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.379867077 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.846807003 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.847064972 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.848345995 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.848361969 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.848691940 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:29.849895954 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.850054026 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:29.850087881 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:30.528012991 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:30.528271914 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:30.528455019 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:30.528633118 CET | 49717 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:30.528650045 CET | 443 | 49717 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:30.624865055 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:30.624912024 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:30.624989033 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:30.625262976 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:30.625277042 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:31.078895092 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:31.079032898 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:31.080370903 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:31.080382109 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:31.080586910 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:31.081883907 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:31.082019091 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:31.082041979 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:31.082093000 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:31.123337984 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:31.881587029 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:31.881722927 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:31.881793976 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:31.881932020 CET | 49728 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:31.881948948 CET | 443 | 49728 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:32.050363064 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:32.050431967 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:32.050532103 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:32.050837040 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:32.050849915 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:32.510257959 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:32.510324955 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:32.511629105 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:32.511640072 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:32.511868954 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:32.512967110 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:32.513086081 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:32.513109922 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:32.513161898 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:32.513170958 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:35.159097910 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:35.159395933 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:35.159512997 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:35.159595966 CET | 49738 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:35.159622908 CET | 443 | 49738 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:36.388089895 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:36.388133049 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:36.388191938 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:36.388536930 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:36.388550997 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:36.878741980 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:36.878823996 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:36.880013943 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:36.880024910 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:36.880299091 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:36.888802052 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:36.888889074 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:36.888927937 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:39.898257971 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:39.898359060 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:39.898430109 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:39.898591042 CET | 49767 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:39.898613930 CET | 443 | 49767 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.022063971 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.022114992 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.022222996 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.022521019 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.022532940 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.476726055 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.476792097 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.478101969 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.478112936 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.478351116 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.479732990 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.479815006 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.479821920 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.917305946 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.917402983 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:40.917536974 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.917697906 CET | 49793 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:40.917716026 CET | 443 | 49793 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:41.889101028 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:41.889152050 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:41.889283895 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:41.889713049 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:41.889723063 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.356863976 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.356946945 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.358144045 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.358155012 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.358442068 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.360761881 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.361443043 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.361475945 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.361576080 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.361607075 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.361716032 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.361757040 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.362790108 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.362827063 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.368592978 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.368638039 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.371479034 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.371526957 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.371542931 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.371551991 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.371716976 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.371747971 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.371769905 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.374501944 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.374540091 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.376410961 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.380459070 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.380497932 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.380538940 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.380557060 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:42.380593061 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:42.380611897 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:44.858186007 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:44.858280897 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:44.858346939 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:44.861012936 CET | 49805 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:44.861056089 CET | 443 | 49805 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:44.869227886 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:44.869317055 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:44.869415998 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:44.869678020 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:44.869709015 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.335047007 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.335160017 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:45.336421013 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:45.336447954 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.336707115 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.337887049 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:45.337929964 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:45.337954998 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.808779955 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.808873892 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.808944941 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:45.809140921 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:45.809175968 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.809194088 CET | 49826 | 443 | 192.168.2.7 | 104.21.52.90 |
| Dec 31, 2024 17:11:45.809201002 CET | 443 | 49826 | 104.21.52.90 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.867497921 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:45.867552996 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.867656946 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:45.868189096 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:45.868206978 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:46.587004900 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:46.587111950 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:46.593751907 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:46.593770981 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:46.594006062 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:46.595141888 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:46.635332108 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:46.850604057 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:46.850666046 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:46.850706100 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:46.850867987 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:46.850883007 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:46.850898981 CET | 49832 | 443 | 192.168.2.7 | 185.161.251.21 |
| Dec 31, 2024 17:11:46.850903034 CET | 443 | 49832 | 185.161.251.21 | 192.168.2.7 |
| Dec 31, 2024 17:11:48.296766996 CET | 59641 | 53 | 192.168.2.7 | 162.159.36.2 |
| Dec 31, 2024 17:11:48.301661015 CET | 53 | 59641 | 162.159.36.2 | 192.168.2.7 |
| Dec 31, 2024 17:11:48.301736116 CET | 59641 | 53 | 192.168.2.7 | 162.159.36.2 |
| Dec 31, 2024 17:11:48.306679010 CET | 53 | 59641 | 162.159.36.2 | 192.168.2.7 |
| Dec 31, 2024 17:11:48.748074055 CET | 59641 | 53 | 192.168.2.7 | 162.159.36.2 |
| Dec 31, 2024 17:11:48.753298044 CET | 53 | 59641 | 162.159.36.2 | 192.168.2.7 |
| Dec 31, 2024 17:11:48.753355026 CET | 59641 | 53 | 192.168.2.7 | 162.159.36.2 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 31, 2024 17:11:27.102585077 CET | 58940 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 31, 2024 17:11:27.115432978 CET | 53 | 58940 | 1.1.1.1 | 192.168.2.7 |
| Dec 31, 2024 17:11:45.812001944 CET | 53564 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 31, 2024 17:11:45.866619110 CET | 53 | 53564 | 1.1.1.1 | 192.168.2.7 |
| Dec 31, 2024 17:11:48.296252966 CET | 53 | 52543 | 162.159.36.2 | 192.168.2.7 |
| Dec 31, 2024 17:11:48.771939993 CET | 64798 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 31, 2024 17:11:48.779165030 CET | 53 | 64798 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 31, 2024 17:11:27.102585077 CET | 192.168.2.7 | 1.1.1.1 | 0x2a2b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 31, 2024 17:11:45.812001944 CET | 192.168.2.7 | 1.1.1.1 | 0xac6c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 31, 2024 17:11:48.771939993 CET | 192.168.2.7 | 1.1.1.1 | 0x2246 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 31, 2024 17:11:27.115432978 CET | 1.1.1.1 | 192.168.2.7 | 0x2a2b | No error (0) | 104.21.52.90 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:11:27.115432978 CET | 1.1.1.1 | 192.168.2.7 | 0x2a2b | No error (0) | 172.67.197.142 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:11:45.866619110 CET | 1.1.1.1 | 192.168.2.7 | 0xac6c | No error (0) | 185.161.251.21 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:11:48.779165030 CET | 1.1.1.1 | 192.168.2.7 | 0x2246 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49700 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:27 UTC | 263 | OUT | |
| 2024-12-31 16:11:27 UTC | 8 | OUT | |
| 2024-12-31 16:11:28 UTC | 1123 | IN | |
| 2024-12-31 16:11:28 UTC | 7 | IN | |
| 2024-12-31 16:11:28 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49706 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:28 UTC | 264 | OUT | |
| 2024-12-31 16:11:28 UTC | 78 | OUT | |
| 2024-12-31 16:11:29 UTC | 1129 | IN | |
| 2024-12-31 16:11:29 UTC | 240 | IN | |
| 2024-12-31 16:11:29 UTC | 1369 | IN | |
| 2024-12-31 16:11:29 UTC | 1369 | IN | |
| 2024-12-31 16:11:29 UTC | 1369 | IN | |
| 2024-12-31 16:11:29 UTC | 1369 | IN | |
| 2024-12-31 16:11:29 UTC | 1369 | IN | |
| 2024-12-31 16:11:29 UTC | 287 | IN | |
| 2024-12-31 16:11:29 UTC | 1369 | IN | |
| 2024-12-31 16:11:29 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49717 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:29 UTC | 281 | OUT | |
| 2024-12-31 16:11:29 UTC | 12837 | OUT | |
| 2024-12-31 16:11:30 UTC | 1124 | IN | |
| 2024-12-31 16:11:30 UTC | 20 | IN | |
| 2024-12-31 16:11:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49728 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:31 UTC | 276 | OUT | |
| 2024-12-31 16:11:31 UTC | 15039 | OUT | |
| 2024-12-31 16:11:31 UTC | 1124 | IN | |
| 2024-12-31 16:11:31 UTC | 20 | IN | |
| 2024-12-31 16:11:31 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 49738 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:32 UTC | 276 | OUT | |
| 2024-12-31 16:11:32 UTC | 15331 | OUT | |
| 2024-12-31 16:11:32 UTC | 5033 | OUT | |
| 2024-12-31 16:11:35 UTC | 1126 | IN | |
| 2024-12-31 16:11:35 UTC | 20 | IN | |
| 2024-12-31 16:11:35 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 49767 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:36 UTC | 272 | OUT | |
| 2024-12-31 16:11:36 UTC | 3767 | OUT | |
| 2024-12-31 16:11:39 UTC | 1138 | IN | |
| 2024-12-31 16:11:39 UTC | 20 | IN | |
| 2024-12-31 16:11:39 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 49793 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:40 UTC | 279 | OUT | |
| 2024-12-31 16:11:40 UTC | 1221 | OUT | |
| 2024-12-31 16:11:40 UTC | 1118 | IN | |
| 2024-12-31 16:11:40 UTC | 20 | IN | |
| 2024-12-31 16:11:40 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.7 | 49805 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:42 UTC | 276 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:42 UTC | 15331 | OUT | |
| 2024-12-31 16:11:44 UTC | 1133 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.7 | 49826 | 104.21.52.90 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:45 UTC | 265 | OUT | |
| 2024-12-31 16:11:45 UTC | 113 | OUT | |
| 2024-12-31 16:11:45 UTC | 1126 | IN | |
| 2024-12-31 16:11:45 UTC | 218 | IN | |
| 2024-12-31 16:11:45 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.7 | 49832 | 185.161.251.21 | 443 | 7284 | C:\Users\user\Desktop\Active_Setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:11:46 UTC | 201 | OUT | |
| 2024-12-31 16:11:46 UTC | 249 | IN | |
| 2024-12-31 16:11:46 UTC | 329 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 11:11:14 |
| Start date: | 31/12/2024 |
| Path: | C:\Users\user\Desktop\Active_Setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x9c0000 |
| File size: | 78'065'437 bytes |
| MD5 hash: | E33268982207781838161261E248276B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 18.2% |
| Total number of Nodes: | 110 |
| Total number of Limit Nodes: | 8 |
Graph
Function 009EC494 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00ACFE60 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 938memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009CFA34 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009CF8DC Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009CF4F8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 178registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009D1D98 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009CFB04 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009CFC2C Relevance: 3.1, APIs: 2, Instructions: 56libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009EE108 Relevance: 3.0, APIs: 2, Instructions: 34libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009EF770 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009CE96C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009EE165 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00A6EEE4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009C5828 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C4E1CC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C60AA4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00A602E4 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00A6C6C0 Relevance: 3.1, APIs: 2, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00AA873C Relevance: 3.0, APIs: 2, Instructions: 47windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BD6440 Relevance: 1.6, APIs: 1, Instructions: 76comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00887600 Relevance: .6, Instructions: 554COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0087EC00 Relevance: .5, Instructions: 536COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 008817DF Relevance: .3, Instructions: 318COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00887241 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BC03A0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 255registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009D6244 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009EA2B0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 257threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B7E3FC Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 212filepipeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009C60C0 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009CA504 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C563A4 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009C640C Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 009FA3D0 Relevance: 7.8, APIs: 5, Instructions: 274COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BD6124 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BD8A20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B84114 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B6CAB4 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C54660 Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00C5E5FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|