Edit tour
Windows
Analysis Report
Loader.exe
Overview
General Information
| Sample name: | Loader.exe |
| Analysis ID: | 1582872 |
| MD5: | 932410f2b859e916c9c7a8b801348466 |
| SHA1: | f59ac63b492dbc16a7eedd3d18efc59acf21a6a7 |
| SHA256: | 17e94a7a504d2b8ab36914f0b5d2bebd9a2acd21533cfba1ca410c6594498272 |
| Tags: | exeLummaStealeruser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Loader.exe (PID: 4980 cmdline: "C:\Users\ user\Deskt op\Loader. exe" MD5: 932410F2B859E916C9C7A8B801348466) 
conhost.exe (PID: 6604 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Loader.exe (PID: 6472 cmdline:
"C:\Users\ user\Deskt op\Loader. exe" MD5: 932410F2B859E916C9C7A8B801348466)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["noisycuttej.shop", "tirepublicerj.shop", "cloudewahsj.shop", "rabidcowse.shop", "wholersorie.shop", "abruptyopsn.shop", "fancywaxxers.shop", "framekgirus.shop", "nearycrepso.shop"], "Build id": "yau6Na--5809224103"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 5 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:38:09.546494+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:38.303746+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:39.548056+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49792 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:41.043154+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49800 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:43.396652+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49815 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:45.340382+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49827 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:47.321564+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49842 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:49.423943+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49858 | 104.21.80.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:38:37.817926+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:38.773454+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:49.900923+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49858 | 104.21.80.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:38:37.817926+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:38:38.773454+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:38:09.546494+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:38.303746+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:39.548056+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49792 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:41.043154+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49800 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:43.396652+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49815 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:45.340382+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49827 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:47.321564+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49842 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:49.423943+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49858 | 104.21.80.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:38:09.045715+0100 | 2058656 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 65173 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:38:40.377926+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49792 | 104.21.80.1 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_2_00414A9A | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0033B6A8 | |
| Source: | Code function: | 0_2_0033B759 | |
| Source: | Code function: | 3_2_0033B6A8 | |
| Source: | Code function: | 3_2_0033B759 | |
| Source: | Code function: | 3_2_0042207D | |
| Source: | Code function: | 3_2_0042207D | |
| Source: | Code function: | 3_2_00420830 | |
| Source: | Code function: | 3_2_0042DA21 | |
| Source: | Code function: | 3_2_0043F23F | |
| Source: | Code function: | 3_2_0042D2FF | |
| Source: | Code function: | 3_2_00414A9A | |
| Source: | Code function: | 3_2_00414A9A | |
| Source: | Code function: | 3_2_00414A9A | |
| Source: | Code function: | 3_2_00439B30 | |
| Source: | Code function: | 3_2_00439B30 | |
| Source: | Code function: | 3_2_00439B30 | |
| Source: | Code function: | 3_2_00426B80 | |
| Source: | Code function: | 3_2_0040CEC7 | |
| Source: | Code function: | 3_2_00440ED0 | |
| Source: | Code function: | 3_2_00441F50 | |
| Source: | Code function: | 3_2_0040D75B | |
| Source: | Code function: | 3_2_0040D75B | |
| Source: | Code function: | 3_2_0040D75B | |
| Source: | Code function: | 3_2_0040D75B | |
| Source: | Code function: | 3_2_0040D75B | |
| Source: | Code function: | 3_2_0043CFDB | |
| Source: | Code function: | 3_2_00427050 | |
| Source: | Code function: | 3_2_00427050 | |
| Source: | Code function: | 3_2_00427050 | |
| Source: | Code function: | 3_2_00427879 | |
| Source: | Code function: | 3_2_00427030 | |
| Source: | Code function: | 3_2_0041B8D4 | |
| Source: | Code function: | 3_2_00405910 | |
| Source: | Code function: | 3_2_00405910 | |
| Source: | Code function: | 3_2_00416914 | |
| Source: | Code function: | 3_2_00416914 | |
| Source: | Code function: | 3_2_00416914 | |
| Source: | Code function: | 3_2_00420130 | |
| Source: | Code function: | 3_2_0042B1E0 | |
| Source: | Code function: | 3_2_00421980 | |
| Source: | Code function: | 3_2_0043D9A0 | |
| Source: | Code function: | 3_2_0042AA70 | |
| Source: | Code function: | 3_2_004162D2 | |
| Source: | Code function: | 3_2_004162D2 | |
| Source: | Code function: | 3_2_0043EAF2 | |
| Source: | Code function: | 3_2_0041AA81 | |
| Source: | Code function: | 3_2_0041AA81 | |
| Source: | Code function: | 3_2_00436320 | |
| Source: | Code function: | 3_2_0042BBCB | |
| Source: | Code function: | 3_2_0042CC46 | |
| Source: | Code function: | 3_2_00407470 | |
| Source: | Code function: | 3_2_0042BC0F | |
| Source: | Code function: | 3_2_0042BB79 | |
| Source: | Code function: | 3_2_0041CD40 | |
| Source: | Code function: | 3_2_00428D4A | |
| Source: | Code function: | 3_2_00413D50 | |
| Source: | Code function: | 3_2_00413D50 | |
| Source: | Code function: | 3_2_0043D560 | |
| Source: | Code function: | 3_2_0042AD70 | |
| Source: | Code function: | 3_2_00423D10 | |
| Source: | Code function: | 3_2_00423D10 | |
| Source: | Code function: | 3_2_00402530 | |
| Source: | Code function: | 3_2_00429DF0 | |
| Source: | Code function: | 3_2_00423D10 | |
| Source: | Code function: | 3_2_00423D10 | |
| Source: | Code function: | 3_2_0040BDB9 | |
| Source: | Code function: | 3_2_00423E62 | |
| Source: | Code function: | 3_2_0042CE63 | |
| Source: | Code function: | 3_2_0043A660 | |
| Source: | Code function: | 3_2_0043A660 | |
| Source: | Code function: | 3_2_00416E62 | |
| Source: | Code function: | 3_2_00421600 | |
| Source: | Code function: | 3_2_0042C63D | |
| Source: | Code function: | 3_2_0043F6E3 | |
| Source: | Code function: | 3_2_004096B0 | |
| Source: | Code function: | 3_2_004096B0 | |
| Source: | Code function: | 3_2_00402F10 | |
| Source: | Code function: | 3_2_00408FE0 | |
| Source: | Code function: | 3_2_00417FBC | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_00434280 | |
| Source: | Code function: | 3_2_052A1000 | |
| Source: | Code function: | 3_2_00434280 | |
| Source: | Code function: | 3_2_00434460 | |
| Source: | Code function: | 0_2_0032C044 | |
| Source: | Code function: | 0_2_0033EA4E | |
| Source: | Code function: | 0_2_00333400 | |
| Source: | Code function: | 0_2_003404C2 | |
| Source: | Code function: | 0_2_0032DDA2 | |
| Source: | Code function: | 0_2_0032969B | |
| Source: | Code function: | 3_2_0032C044 | |
| Source: | Code function: | 3_2_0033EA4E | |
| Source: | Code function: | 3_2_00333400 | |
| Source: | Code function: | 3_2_003404C2 | |
| Source: | Code function: | 3_2_0032DDA2 | |
| Source: | Code function: | 3_2_0032969B | |
| Source: | Code function: | 3_2_0043D050 | |
| Source: | Code function: | 3_2_0042207D | |
| Source: | Code function: | 3_2_00439800 | |
| Source: | Code function: | 3_2_00441900 | |
| Source: | Code function: | 3_2_00411920 | |
| Source: | Code function: | 3_2_0042DA21 | |
| Source: | Code function: | 3_2_00414A9A | |
| Source: | Code function: | 3_2_00439B30 | |
| Source: | Code function: | 3_2_00426B80 | |
| Source: | Code function: | 3_2_00420DD0 | |
| Source: | Code function: | 3_2_0040CEC7 | |
| Source: | Code function: | 3_2_00422F70 | |
| Source: | Code function: | 3_2_0043F73E | |
| Source: | Code function: | 3_2_00440FD0 | |
| Source: | Code function: | 3_2_0040FFD6 | |
| Source: | Code function: | 3_2_004087B0 | |
| Source: | Code function: | 3_2_00427050 | |
| Source: | Code function: | 3_2_00440065 | |
| Source: | Code function: | 3_2_00434060 | |
| Source: | Code function: | 3_2_00427879 | |
| Source: | Code function: | 3_2_00418816 | |
| Source: | Code function: | 3_2_0041D020 | |
| Source: | Code function: | 3_2_00422830 | |
| Source: | Code function: | 3_2_0040C8E5 | |
| Source: | Code function: | 3_2_00440880 | |
| Source: | Code function: | 3_2_0040A8B0 | |
| Source: | Code function: | 3_2_00405910 | |
| Source: | Code function: | 3_2_00416914 | |
| Source: | Code function: | 3_2_00403920 | |
| Source: | Code function: | 3_2_0041D920 | |
| Source: | Code function: | 3_2_00440920 | |
| Source: | Code function: | 3_2_0040B132 | |
| Source: | Code function: | 3_2_00420130 | |
| Source: | Code function: | 3_2_004191C0 | |
| Source: | Code function: | 3_2_004359C5 | |
| Source: | Code function: | 3_2_004371FD | |
| Source: | Code function: | 3_2_00421980 | |
| Source: | Code function: | 3_2_0043D9A0 | |
| Source: | Code function: | 3_2_004381AC | |
| Source: | Code function: | 3_2_004409B0 | |
| Source: | Code function: | 3_2_00438A55 | |
| Source: | Code function: | 3_2_00427A6E | |
| Source: | Code function: | 3_2_0040F27E | |
| Source: | Code function: | 3_2_00406200 | |
| Source: | Code function: | 3_2_00415A05 | |
| Source: | Code function: | 3_2_00418A30 | |
| Source: | Code function: | 3_2_00439230 | |
| Source: | Code function: | 3_2_00415A05 | |
| Source: | Code function: | 3_2_004042D0 | |
| Source: | Code function: | 3_2_004162D2 | |
| Source: | Code function: | 3_2_00423AE0 | |
| Source: | Code function: | 3_2_00429AFE | |
| Source: | Code function: | 3_2_0041AA81 | |
| Source: | Code function: | 3_2_004262A0 | |
| Source: | Code function: | 3_2_00437AA0 | |
| Source: | Code function: | 3_2_004092B0 | |
| Source: | Code function: | 3_2_004412B0 | |
| Source: | Code function: | 3_2_0041EB50 | |
| Source: | Code function: | 3_2_00402B70 | |
| Source: | Code function: | 3_2_0040A312 | |
| Source: | Code function: | 3_2_004183FA | |
| Source: | Code function: | 3_2_0041A3B0 | |
| Source: | Code function: | 3_2_00430C5A | |
| Source: | Code function: | 3_2_00407470 | |
| Source: | Code function: | 3_2_00423C70 | |
| Source: | Code function: | 3_2_0043AC70 | |
| Source: | Code function: | 3_2_00410C79 | |
| Source: | Code function: | 3_2_00404C10 | |
| Source: | Code function: | 3_2_0041D430 | |
| Source: | Code function: | 3_2_004114CB | |
| Source: | Code function: | 3_2_004354B7 | |
| Source: | Code function: | 3_2_0041CD40 | |
| Source: | Code function: | 3_2_0043ED4D | |
| Source: | Code function: | 3_2_00413D50 | |
| Source: | Code function: | 3_2_004415C0 | |
| Source: | Code function: | 3_2_0041BDD0 | |
| Source: | Code function: | 3_2_00429DF0 | |
| Source: | Code function: | 3_2_0043059D | |
| Source: | Code function: | 3_2_0043AE47 | |
| Source: | Code function: | 3_2_00405E60 | |
| Source: | Code function: | 3_2_00423E62 | |
| Source: | Code function: | 3_2_0043A660 | |
| Source: | Code function: | 3_2_00416E62 | |
| Source: | Code function: | 3_2_00418E1C | |
| Source: | Code function: | 3_2_0042D6D6 | |
| Source: | Code function: | 3_2_00440680 | |
| Source: | Code function: | 3_2_00406690 | |
| Source: | Code function: | 3_2_0041A690 | |
| Source: | Code function: | 3_2_004096B0 | |
| Source: | Code function: | 3_2_00440770 | |
| Source: | Code function: | 3_2_0043E776 | |
| Source: | Code function: | 3_2_00402F10 | |
| Source: | Code function: | 3_2_00439710 | |
| Source: | Code function: | 3_2_004237C0 | |
| Source: | Code function: | 3_2_00438FD0 | |
| Source: | Code function: | 3_2_0042BFB4 | |
| Source: | Code function: | 3_2_00417FBC | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_00439B30 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00329D7D | |
| Source: | Code function: | 3_2_00329D7D | |
| Source: | Code function: | 3_2_00449A39 | |
| Source: | Code function: | 3_2_00447BD9 | |
| Source: | Code function: | 3_2_0043D49F | |
| Source: | Code function: | 3_2_00440632 | |
| Source: | Code function: | 3_2_00449702 | |
| Source: | Code function: | 3_2_0044686F | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_0033B6A8 | |
| Source: | Code function: | 0_2_0033B759 | |
| Source: | Code function: | 3_2_0033B6A8 | |
| Source: | Code function: | 3_2_0033B759 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_3-31924 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_0043EEC0 | |
| Source: | Code function: | 0_2_00329A33 | |
| Source: | Code function: | 0_2_0035019E | |
| Source: | Code function: | 0_2_00321BA0 | |
| Source: | Code function: | 3_2_00321BA0 | |
| Source: | Code function: | 0_2_00336FE0 | |
| Source: | Code function: | 0_2_00329A33 | |
| Source: | Code function: | 0_2_00331A20 | |
| Source: | Code function: | 0_2_00329A27 | |
| Source: | Code function: | 0_2_00329673 | |
| Source: | Code function: | 3_2_00329A33 | |
| Source: | Code function: | 3_2_00331A20 | |
| Source: | Code function: | 3_2_00329A27 | |
| Source: | Code function: | 3_2_00329673 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_0035019E | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_003368BD | |
| Source: | Code function: | 0_2_0033B085 | |
| Source: | Code function: | 0_2_0033B0D0 | |
| Source: | Code function: | 0_2_0033B177 | |
| Source: | Code function: | 0_2_0033A9F7 | |
| Source: | Code function: | 0_2_0033B27D | |
| Source: | Code function: | 0_2_003363B5 | |
| Source: | Code function: | 0_2_0033AC48 | |
| Source: | Code function: | 0_2_0033ACF0 | |
| Source: | Code function: | 0_2_0033AF43 | |
| Source: | Code function: | 0_2_0033AFB0 | |
| Source: | Code function: | 3_2_003368BD | |
| Source: | Code function: | 3_2_0033B085 | |
| Source: | Code function: | 3_2_0033B0D0 | |
| Source: | Code function: | 3_2_0033B177 | |
| Source: | Code function: | 3_2_0033A9F7 | |
| Source: | Code function: | 3_2_0033B27D | |
| Source: | Code function: | 3_2_003363B5 | |
| Source: | Code function: | 3_2_0033AC48 | |
| Source: | Code function: | 3_2_0033ACF0 | |
| Source: | Code function: | 3_2_0033AF43 | |
| Source: | Code function: | 3_2_0033AFB0 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_0032A2F5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 241 Security Software Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | 3 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 11 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 33 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| fancywaxxers.shop | 104.21.80.1 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.80.1 | fancywaxxers.shop | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1582872 |
| Start date and time: | 2024-12-31 17:37:18 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 13s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Loader.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Loader.exe
| Time | Type | Description |
|---|---|---|
| 11:38:37 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.80.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | CMSBrute | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| fancywaxxers.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Titanium Proxy, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Titanium Proxy, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.827208604265299 |
| TrID: |
|
| File name: | Loader.exe |
| File size: | 834'048 bytes |
| MD5: | 932410f2b859e916c9c7a8b801348466 |
| SHA1: | f59ac63b492dbc16a7eedd3d18efc59acf21a6a7 |
| SHA256: | 17e94a7a504d2b8ab36914f0b5d2bebd9a2acd21533cfba1ca410c6594498272 |
| SHA512: | 5fe38a836bf8a9baeae6066ed33262ec8352126608b0568243feed1b770282952670c35df6e7bd77dcf296aa26a478bafd0bc9123c4b4bcceb97aba67ee4fd1c |
| SSDEEP: | 24576:Y4dPpQPmY1dzvMoyZljM6ur1dzvMoyZljM6u+:hdPp/M5vMb3TuB5vMb3Tu+ |
| TLSH: | 480512517982C0B3CC631AB759FDA3B5562EF9600B21A9DF47D40FBE6F621C05630B2A |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....rg.................H........................@.......................................@.....................................(.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x40a2a0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6772AADA [Mon Dec 30 14:14:50 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d6bfc0ff235c28cc21f6045af30834e6 |
| Instruction |
|---|
| call 00007F8C74DE5EDAh |
| jmp 00007F8C74DE5D3Dh |
| mov ecx, dword ptr [004307C0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007F8C74DE5ED6h |
| test esi, ecx |
| jne 00007F8C74DE5EF8h |
| call 00007F8C74DE5F01h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007F8C74DE5ED9h |
| mov ecx, BB40E64Fh |
| jmp 00007F8C74DE5EE0h |
| test esi, ecx |
| jne 00007F8C74DE5EDCh |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [004307C0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [00430800h], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| lea eax, dword ptr [ebp-0Ch] |
| xorps xmm0, xmm0 |
| push eax |
| movlpd qword ptr [ebp-0Ch], xmm0 |
| call dword ptr [0042E8C8h] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [0042E884h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042E880h] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [0042E910h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 00431AB8h |
| call dword ptr [0042E8E8h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2e6ac | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x34000 | 0xe8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x35000 | 0x1b80 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x2a9a8 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x26e40 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2e820 | 0x14c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2479a | 0x24800 | e99bb4e274380b09613559d3b1a664fb | False | 0.554781142979452 | data | 6.559742159760055 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x26000 | 0x9eb4 | 0xa000 | 3f1d7f6413abea491661acb746eefebf | False | 0.428271484375 | DOS executable (COM) | 4.91372050063646 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x30000 | 0x2280 | 0x1600 | 112d0c9e43893ae5b7f96d23807996ac | False | 0.39506392045454547 | data | 4.581141173428789 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x33000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x34000 | 0xe8 | 0x200 | 03d6bf5d1e31277fc8fb90374111d794 | False | 0.306640625 | data | 2.344915704357875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x35000 | 0x1b80 | 0x1c00 | 6e4c901089600f702531dbe2643a65b6 | False | 0.7770647321428571 | data | 6.526735403310053 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .BSS | 0x37000 | 0x4ca00 | 0x4ca00 | a99b3517219a13803af8e050fd3ab6d9 | False | 1.000337734502447 | data | 7.999345576417738 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .BSS | 0x84000 | 0x4ca00 | 0x4ca00 | a99b3517219a13803af8e050fd3ab6d9 | False | 1.000337734502447 | data | 7.999345576417738 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x34060 | 0x87 | XML 1.0 document, ASCII text | English | United States | 0.8222222222222222 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-31T17:38:09.045715+0100 | 2058656 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) | 1 | 192.168.2.5 | 65173 | 1.1.1.1 | 53 | UDP |
| 2024-12-31T17:38:09.546494+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:09.546494+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:37.817926+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:37.817926+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:38.303746+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:38.303746+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:38.773454+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:38.773454+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:39.548056+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.5 | 49792 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:39.548056+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49792 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:40.377926+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49792 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:41.043154+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.5 | 49800 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:41.043154+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49800 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:43.396652+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.5 | 49815 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:43.396652+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49815 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:45.340382+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.5 | 49827 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:45.340382+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49827 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:47.321564+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.5 | 49842 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:47.321564+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49842 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:49.423943+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.5 | 49858 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:49.423943+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49858 | 104.21.80.1 | 443 | TCP |
| 2024-12-31T17:38:49.900923+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49858 | 104.21.80.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 31, 2024 17:38:09.061798096 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:09.061851978 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:09.061917067 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:09.063419104 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:09.063429117 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:09.546410084 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:09.546494007 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:09.550839901 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:09.550856113 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:09.551166058 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:09.599746943 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:09.625580072 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:09.625636101 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:09.625771046 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:37.817931890 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:37.818041086 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:37.818108082 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:37.819994926 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:37.820018053 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:37.820040941 CET | 49704 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:37.820046902 CET | 443 | 49704 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:37.831331968 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:37.831358910 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:37.831492901 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:37.831782103 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:37.831798077 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.303622961 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.303745985 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.314930916 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.314945936 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.315208912 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.326278925 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.326278925 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.326368093 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773473024 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773531914 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773575068 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773602009 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.773611069 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773622990 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773659945 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.773674965 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773730993 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773762941 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773777008 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.773785114 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.773802042 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.774180889 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.775634050 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.775643110 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.778109074 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.778158903 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.778166056 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.818531990 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.859980106 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.860043049 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.860152960 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.860152960 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.860208035 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.860438108 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.860459089 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:38.860471010 CET | 49781 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:38.860476971 CET | 443 | 49781 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:39.091208935 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:39.091248989 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:39.091327906 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:39.091658115 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:39.091672897 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:39.547840118 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:39.548055887 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:39.595823050 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:39.595860004 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:39.596318007 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:39.598472118 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:39.598654032 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:39.602678061 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:40.377929926 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:40.378037930 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:40.378087044 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:40.378282070 CET | 49792 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:40.378300905 CET | 443 | 49792 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:40.549982071 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:40.550024033 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:40.550088882 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:40.550369024 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:40.550384998 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:41.042989969 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:41.043154001 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:41.051495075 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:41.051527023 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:41.051776886 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:41.053881884 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:41.054013014 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:41.054040909 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:41.054100037 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:41.099323988 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:42.604005098 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:42.604134083 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:42.604183912 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:42.604362011 CET | 49800 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:42.604379892 CET | 443 | 49800 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:42.911978960 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:42.912010908 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:42.912230015 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:42.912655115 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:42.912664890 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:43.396503925 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:43.396651983 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:43.398169041 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:43.398180008 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:43.398420095 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:43.399655104 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:43.399779081 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:43.399807930 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:43.399884939 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:43.399894953 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:44.153351068 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:44.153446913 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:44.153567076 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:44.153784990 CET | 49815 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:44.153804064 CET | 443 | 49815 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:44.882107019 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:44.882162094 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:44.882276058 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:44.882618904 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:44.882633924 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:45.340277910 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:45.340382099 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:45.341649055 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:45.341655016 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:45.341906071 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:45.343123913 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:45.343239069 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:45.343245029 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:46.344903946 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:46.344996929 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:46.345065117 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:46.345232010 CET | 49827 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:46.345252991 CET | 443 | 49827 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:46.846610069 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:46.846658945 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:46.846728086 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:46.847084999 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:46.847099066 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.321428061 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.321563959 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.322927952 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.322952032 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.323199987 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.324887037 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.325597048 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.325635910 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.326561928 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.326601028 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.327703953 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.327759027 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.327928066 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.327969074 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.328129053 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.328180075 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.328360081 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.328407049 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.328418016 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.328425884 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.328615904 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.328653097 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.328682899 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.328700066 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.328809023 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.328850031 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.336586952 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.336781025 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.336833000 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.336864948 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.336889982 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.336931944 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.336947918 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:47.336986065 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:47.337006092 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:48.960253000 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:48.960371017 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:48.960442066 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:48.960532904 CET | 49842 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:48.960544109 CET | 443 | 49842 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:48.970010996 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:48.970051050 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:48.970144033 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:48.970432997 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:48.970448017 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.423799992 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.423943043 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.425410986 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.425422907 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.425671101 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.426866055 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.426902056 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.426939011 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.900968075 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901030064 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901107073 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901119947 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.901129961 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901182890 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901209116 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.901216984 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901258945 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.901650906 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901911020 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901958942 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.901988983 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.901998997 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.902039051 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.902040958 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.902054071 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.902103901 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.902735949 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.902851105 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.902909040 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.902971983 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.902976036 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Dec 31, 2024 17:38:49.903000116 CET | 49858 | 443 | 192.168.2.5 | 104.21.80.1 |
| Dec 31, 2024 17:38:49.903003931 CET | 443 | 49858 | 104.21.80.1 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 31, 2024 17:38:09.045715094 CET | 65173 | 53 | 192.168.2.5 | 1.1.1.1 |
| Dec 31, 2024 17:38:09.055866957 CET | 53 | 65173 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 31, 2024 17:38:09.045715094 CET | 192.168.2.5 | 1.1.1.1 | 0xa317 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 31, 2024 17:38:09.055866957 CET | 1.1.1.1 | 192.168.2.5 | 0xa317 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:38:09.055866957 CET | 1.1.1.1 | 192.168.2.5 | 0xa317 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:38:09.055866957 CET | 1.1.1.1 | 192.168.2.5 | 0xa317 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:38:09.055866957 CET | 1.1.1.1 | 192.168.2.5 | 0xa317 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:38:09.055866957 CET | 1.1.1.1 | 192.168.2.5 | 0xa317 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:38:09.055866957 CET | 1.1.1.1 | 192.168.2.5 | 0xa317 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Dec 31, 2024 17:38:09.055866957 CET | 1.1.1.1 | 192.168.2.5 | 0xa317 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 104.21.80.1 | 443 | 6472 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:38:09 UTC | 264 | OUT | |
| 2024-12-31 16:38:09 UTC | 8 | OUT | |
| 2024-12-31 16:38:37 UTC | 1127 | IN | |
| 2024-12-31 16:38:37 UTC | 7 | IN | |
| 2024-12-31 16:38:37 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49781 | 104.21.80.1 | 443 | 6472 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:38:38 UTC | 265 | OUT | |
| 2024-12-31 16:38:38 UTC | 52 | OUT | |
| 2024-12-31 16:38:38 UTC | 1127 | IN | |
| 2024-12-31 16:38:38 UTC | 242 | IN | |
| 2024-12-31 16:38:38 UTC | 1369 | IN | |
| 2024-12-31 16:38:38 UTC | 1369 | IN | |
| 2024-12-31 16:38:38 UTC | 1369 | IN | |
| 2024-12-31 16:38:38 UTC | 1369 | IN | |
| 2024-12-31 16:38:38 UTC | 1369 | IN | |
| 2024-12-31 16:38:38 UTC | 1369 | IN | |
| 2024-12-31 16:38:38 UTC | 1369 | IN | |
| 2024-12-31 16:38:38 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49792 | 104.21.80.1 | 443 | 6472 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:38:39 UTC | 277 | OUT | |
| 2024-12-31 16:38:39 UTC | 12804 | OUT | |
| 2024-12-31 16:38:40 UTC | 1137 | IN | |
| 2024-12-31 16:38:40 UTC | 20 | IN | |
| 2024-12-31 16:38:40 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49800 | 104.21.80.1 | 443 | 6472 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:38:41 UTC | 279 | OUT | |
| 2024-12-31 16:38:41 UTC | 15058 | OUT | |
| 2024-12-31 16:38:42 UTC | 1143 | IN | |
| 2024-12-31 16:38:42 UTC | 20 | IN | |
| 2024-12-31 16:38:42 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49815 | 104.21.80.1 | 443 | 6472 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:38:43 UTC | 273 | OUT | |
| 2024-12-31 16:38:43 UTC | 15331 | OUT | |
| 2024-12-31 16:38:43 UTC | 5181 | OUT | |
| 2024-12-31 16:38:44 UTC | 1131 | IN | |
| 2024-12-31 16:38:44 UTC | 20 | IN | |
| 2024-12-31 16:38:44 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49827 | 104.21.80.1 | 443 | 6472 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:38:45 UTC | 273 | OUT | |
| 2024-12-31 16:38:45 UTC | 1204 | OUT | |
| 2024-12-31 16:38:46 UTC | 1135 | IN | |
| 2024-12-31 16:38:46 UTC | 20 | IN | |
| 2024-12-31 16:38:46 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49842 | 104.21.80.1 | 443 | 6472 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:38:47 UTC | 278 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:47 UTC | 15331 | OUT | |
| 2024-12-31 16:38:48 UTC | 1137 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49858 | 104.21.80.1 | 443 | 6472 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-31 16:38:49 UTC | 265 | OUT | |
| 2024-12-31 16:38:49 UTC | 87 | OUT | |
| 2024-12-31 16:38:49 UTC | 1125 | IN | |
| 2024-12-31 16:38:49 UTC | 244 | IN | |
| 2024-12-31 16:38:49 UTC | 1369 | IN | |
| 2024-12-31 16:38:49 UTC | 1369 | IN | |
| 2024-12-31 16:38:49 UTC | 1369 | IN | |
| 2024-12-31 16:38:49 UTC | 628 | IN | |
| 2024-12-31 16:38:49 UTC | 1369 | IN | |
| 2024-12-31 16:38:49 UTC | 1369 | IN | |
| 2024-12-31 16:38:49 UTC | 1369 | IN | |
| 2024-12-31 16:38:49 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:38:07 |
| Start date: | 31/12/2024 |
| Path: | C:\Users\user\Desktop\Loader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 834'048 bytes |
| MD5 hash: | 932410F2B859E916C9C7A8B801348466 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 11:38:07 |
| Start date: | 31/12/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 11:38:08 |
| Start date: | 31/12/2024 |
| Path: | C:\Users\user\Desktop\Loader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x320000 |
| File size: | 834'048 bytes |
| MD5 hash: | 932410F2B859E916C9C7A8B801348466 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 8.1% |
| Dynamic/Decrypted Code Coverage: | 0.4% |
| Signature Coverage: | 1.1% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 29 |
Graph
Function 0035019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00321C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108libraryfileloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00336602 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00336DEA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00321DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78librarymemoryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00337268 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00337152 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00322010 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00335677 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003214C0 Relevance: 1.8, APIs: 1, Instructions: 308COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003377F7 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00328530 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003356B1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003220C0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033B177 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00333400 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033B759 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329A33 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032A2F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033ACF0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032969B Relevance: 1.7, APIs: 1, Instructions: 242COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033B6A8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033AFB0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032DDA2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033B0D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033B27D Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329A27 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032C044 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00336FE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00321BA0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00338576 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00334D0C Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00342E5C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032F1B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033F670 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033B536 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032C9D2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033C92E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033A0E6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00335130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033499C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00326780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5.6% |
| Dynamic/Decrypted Code Coverage: | 4.6% |
| Signature Coverage: | 48.6% |
| Total number of Nodes: | 370 |
| Total number of Limit Nodes: | 33 |
Graph
Function 00411920 Relevance: 105.2, APIs: 5, Strings: 54, Instructions: 1942COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00439B30 Relevance: 25.2, APIs: 11, Strings: 3, Instructions: 736memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 052A1000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004087B0 Relevance: 7.7, APIs: 5, Instructions: 225threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CEC7 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441F50 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D2FF Relevance: 1.6, APIs: 1, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CFDB Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EEC0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420830 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440ED0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426B80 Relevance: .4, Instructions: 426COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F23F Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FAEB Relevance: 3.0, APIs: 2, Instructions: 16COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438974 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EE40 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F100 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004330A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D010 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C880 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C8B3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043CFF0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00434280 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 134clipboardCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427050 Relevance: 10.5, Strings: 8, Instructions: 498COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004096B0 Relevance: 9.1, Strings: 7, Instructions: 385COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004162D2 Relevance: 9.1, Strings: 7, Instructions: 340COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033A9F7 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420130 Relevance: 6.8, Strings: 5, Instructions: 500COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CC46 Relevance: 6.5, Strings: 5, Instructions: 211COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CE63 Relevance: 6.5, Strings: 5, Instructions: 209COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00333400 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033B759 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00329A33 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AA81 Relevance: 4.2, Strings: 3, Instructions: 488COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421600 Relevance: 4.1, Strings: 3, Instructions: 326COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417FBC Relevance: 4.1, Strings: 3, Instructions: 325COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413D50 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408FE0 Relevance: 2.8, Strings: 2, Instructions: 286COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BC0F Relevance: 2.7, Strings: 2, Instructions: 171COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BBCB Relevance: 2.7, Strings: 2, Instructions: 152COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042BB79 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D9A0 Relevance: 1.9, Strings: 1, Instructions: 626COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423E62 Relevance: 1.7, Strings: 1, Instructions: 467COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421980 Relevance: 1.7, Strings: 1, Instructions: 457COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043A660 Relevance: 1.7, Strings: 1, Instructions: 453COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00416914 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AD70 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B1E0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B8D4 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F10 Relevance: .7, Instructions: 664COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407470 Relevance: .6, Instructions: 608COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405910 Relevance: .4, Instructions: 448COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00428D4A Relevance: .4, Instructions: 375COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CD40 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D560 Relevance: .2, Instructions: 243COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402530 Relevance: .2, Instructions: 239COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427879 Relevance: .2, Instructions: 173COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427030 Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00423D10 Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00436320 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AA70 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043F6E3 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EAF2 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BDB9 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043323E Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 166memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043397C Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 162memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00321C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00338576 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00334D0C Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00336602 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00342E5C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032F1B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00336DEA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033F670 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033B536 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032C9D2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033C92E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0032A2F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00335130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00339E4A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0033499C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00321DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00326780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|