Windows
Analysis Report
Loader.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Loader.exe (PID: 5164 cmdline:
"C:\Users\ user\Deskt op\Loader. exe" MD5: 0792FCE4557CAE0687A02E5E41BE587A) - conhost.exe (PID: 5076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Loader.exe (PID: 2588 cmdline:
"C:\Users\ user\Deskt op\Loader. exe" MD5: 0792FCE4557CAE0687A02E5E41BE587A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["tirepublicerj.shop", "noisycuttej.shop", "nearycrepso.shop", "rabidcowse.shop", "wholersorie.shop", "fancywaxxers.shop", "cloudewahsj.shop", "abruptyopsn.shop", "framekgirus.shop"], "Build id": "yau6Na--6524795094"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:56:56.188431+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:57.422798+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:58.724005+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:59.828044+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:01.065590+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:02.521703+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:04.160117+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:06.388204+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 104.21.48.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:56:56.941241+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:57.893852+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:06.874165+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 104.21.48.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:56:56.941241+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:56:57.893852+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:56:56.188431+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:57.422798+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:58.724005+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49732 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:59.828044+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49733 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:01.065590+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49734 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:02.521703+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49735 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:04.160117+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49736 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:06.388204+0100 | 2058657 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49737 | 104.21.48.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:56:55.706456+0100 | 2058656 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 61080 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:57:00.384585+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49733 | 104.21.48.1 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:57:04.233693+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.4 | 49736 | 104.21.48.1 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Code function: | 2_2_00415270 |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_00D4B6E8 | |
Source: | Code function: | 0_2_00D4B799 |
Source: | Code function: | 2_2_0043F950 | |
Source: | Code function: | 2_2_00440980 | |
Source: | Code function: | 2_2_0040A9B0 | |
Source: | Code function: | 2_2_00415270 | |
Source: | Code function: | 2_2_00415270 | |
Source: | Code function: | 2_2_00422A28 | |
Source: | Code function: | 2_2_00423288 | |
Source: | Code function: | 2_2_0040CB18 | |
Source: | Code function: | 2_2_00440BA0 | |
Source: | Code function: | 2_2_004224ED | |
Source: | Code function: | 2_2_00418C90 | |
Source: | Code function: | 2_2_00409DEC | |
Source: | Code function: | 2_2_0043F040 | |
Source: | Code function: | 2_2_0042C055 | |
Source: | Code function: | 2_2_00409814 | |
Source: | Code function: | 2_2_00409814 | |
Source: | Code function: | 2_2_0041B839 | |
Source: | Code function: | 2_2_004058C0 | |
Source: | Code function: | 2_2_004058C0 | |
Source: | Code function: | 2_2_0042A0A0 | |
Source: | Code function: | 2_2_00428150 | |
Source: | Code function: | 2_2_00428150 | |
Source: | Code function: | 2_2_00425784 | |
Source: | Code function: | 2_2_0042796F | |
Source: | Code function: | 2_2_0043F130 | |
Source: | Code function: | 2_2_00419980 | |
Source: | Code function: | 2_2_00409240 | |
Source: | Code function: | 2_2_00408A70 | |
Source: | Code function: | 2_2_0042BAC4 | |
Source: | Code function: | 2_2_0043C280 | |
Source: | Code function: | 2_2_0043C280 | |
Source: | Code function: | 2_2_0043C280 | |
Source: | Code function: | 2_2_0043C280 | |
Source: | Code function: | 2_2_0043C280 | |
Source: | Code function: | 2_2_0043F2B0 | |
Source: | Code function: | 2_2_00439B49 | |
Source: | Code function: | 2_2_0043F350 | |
Source: | Code function: | 2_2_00429B60 | |
Source: | Code function: | 2_2_00402B70 | |
Source: | Code function: | 2_2_0043F3E0 | |
Source: | Code function: | 2_2_00439460 | |
Source: | Code function: | 2_2_00439460 | |
Source: | Code function: | 2_2_00439460 | |
Source: | Code function: | 2_2_0041DC10 | |
Source: | Code function: | 2_2_00407420 | |
Source: | Code function: | 2_2_00407420 | |
Source: | Code function: | 2_2_00440CD0 | |
Source: | Code function: | 2_2_00428490 | |
Source: | Code function: | 2_2_0042A500 | |
Source: | Code function: | 2_2_0041AD10 | |
Source: | Code function: | 2_2_0041E5F0 | |
Source: | Code function: | 2_2_00421D90 | |
Source: | Code function: | 2_2_00423E61 | |
Source: | Code function: | 2_2_0042C6D2 | |
Source: | Code function: | 2_2_0042C675 | |
Source: | Code function: | 2_2_0042B693 | |
Source: | Code function: | 2_2_0043F6A0 | |
Source: | Code function: | 2_2_00426740 | |
Source: | Code function: | 2_2_00414760 | |
Source: | Code function: | 2_2_00414760 | |
Source: | Code function: | 2_2_00414760 | |
Source: | Code function: | 2_2_00414760 | |
Source: | Code function: | 2_2_00426760 | |
Source: | Code function: | 2_2_00426760 | |
Source: | Code function: | 2_2_00416711 | |
Source: | Code function: | 2_2_00409710 | |
Source: | Code function: | 2_2_00409710 | |
Source: | Code function: | 2_2_0042873A | |
Source: | Code function: | 2_2_00416FC4 | |
Source: | Code function: | 2_2_00434FD0 | |
Source: | Code function: | 2_2_00425784 | |
Source: | Code function: | 2_2_00417FB1 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 2_2_00432490 |
Source: | Code function: | 2_2_02FD1000 |
Source: | Code function: | 2_2_00432490 |
Source: | Code function: | 2_2_00432620 |
Source: | Code function: | 0_2_00D4EA8E | |
Source: | Code function: | 0_2_00D43440 | |
Source: | Code function: | 0_2_00D3DDE2 | |
Source: | Code function: | 0_2_00D50502 | |
Source: | Code function: | 0_2_00D396DB | |
Source: | Code function: | 2_2_00438890 | |
Source: | Code function: | 2_2_00412120 | |
Source: | Code function: | 2_2_0040A9B0 | |
Source: | Code function: | 2_2_0043FA60 | |
Source: | Code function: | 2_2_00415270 | |
Source: | Code function: | 2_2_00426270 | |
Source: | Code function: | 2_2_00422A28 | |
Source: | Code function: | 2_2_004402E0 | |
Source: | Code function: | 2_2_00423288 | |
Source: | Code function: | 2_2_0043BB60 | |
Source: | Code function: | 2_2_0041ECC0 | |
Source: | Code function: | 2_2_004224ED | |
Source: | Code function: | 2_2_0040E635 | |
Source: | Code function: | 2_2_0040D6C5 | |
Source: | Code function: | 2_2_004086F0 | |
Source: | Code function: | 2_2_0042AF45 | |
Source: | Code function: | 2_2_0043F040 | |
Source: | Code function: | 2_2_00430800 | |
Source: | Code function: | 2_2_00409814 | |
Source: | Code function: | 2_2_0041D020 | |
Source: | Code function: | 2_2_0041B839 | |
Source: | Code function: | 2_2_004058C0 | |
Source: | Code function: | 2_2_0042D0FF | |
Source: | Code function: | 2_2_004320A0 | |
Source: | Code function: | 2_2_004038B0 | |
Source: | Code function: | 2_2_00428150 | |
Source: | Code function: | 2_2_00421960 | |
Source: | Code function: | 2_2_0042796F | |
Source: | Code function: | 2_2_0043F130 | |
Source: | Code function: | 2_2_0042E1C6 | |
Source: | Code function: | 2_2_004171F0 | |
Source: | Code function: | 2_2_0042A9F0 | |
Source: | Code function: | 2_2_00419980 | |
Source: | Code function: | 2_2_004381A0 | |
Source: | Code function: | 2_2_004371AD | |
Source: | Code function: | 2_2_004061B0 | |
Source: | Code function: | 2_2_00409240 | |
Source: | Code function: | 2_2_00423A50 | |
Source: | Code function: | 2_2_00404260 | |
Source: | Code function: | 2_2_0041627D | |
Source: | Code function: | 2_2_00439A00 | |
Source: | Code function: | 2_2_0041D2F0 | |
Source: | Code function: | 2_2_0043C280 | |
Source: | Code function: | 2_2_00432290 | |
Source: | Code function: | 2_2_004082B0 | |
Source: | Code function: | 2_2_0043F2B0 | |
Source: | Code function: | 2_2_00439B49 | |
Source: | Code function: | 2_2_0043F350 | |
Source: | Code function: | 2_2_00436B5C | |
Source: | Code function: | 2_2_00425370 | |
Source: | Code function: | 2_2_0040FB16 | |
Source: | Code function: | 2_2_00408B30 | |
Source: | Code function: | 2_2_0042D330 | |
Source: | Code function: | 2_2_004193D2 | |
Source: | Code function: | 2_2_0043F3E0 | |
Source: | Code function: | 2_2_00404BA0 | |
Source: | Code function: | 2_2_00435BAA | |
Source: | Code function: | 2_2_00420440 | |
Source: | Code function: | 2_2_00439460 | |
Source: | Code function: | 2_2_0041DC10 | |
Source: | Code function: | 2_2_00407420 | |
Source: | Code function: | 2_2_0041B432 | |
Source: | Code function: | 2_2_0043FCE0 | |
Source: | Code function: | 2_2_0042E4F1 | |
Source: | Code function: | 2_2_0041FC89 | |
Source: | Code function: | 2_2_0043648E | |
Source: | Code function: | 2_2_0042DCAF | |
Source: | Code function: | 2_2_0042FDD0 | |
Source: | Code function: | 2_2_00421D90 | |
Source: | Code function: | 2_2_00411598 | |
Source: | Code function: | 2_2_00406640 | |
Source: | Code function: | 2_2_0042B65A | |
Source: | Code function: | 2_2_00423E61 | |
Source: | Code function: | 2_2_00405E10 | |
Source: | Code function: | 2_2_0040AE90 | |
Source: | Code function: | 2_2_00402EB0 | |
Source: | Code function: | 2_2_00426740 | |
Source: | Code function: | 2_2_00437F40 | |
Source: | Code function: | 2_2_00417F48 | |
Source: | Code function: | 2_2_0042B748 | |
Source: | Code function: | 2_2_00414760 | |
Source: | Code function: | 2_2_00426760 | |
Source: | Code function: | 2_2_0041D700 | |
Source: | Code function: | 2_2_00409710 | |
Source: | Code function: | 2_2_00416F13 | |
Source: | Code function: | 2_2_00429720 | |
Source: | Code function: | 2_2_0042873A | |
Source: | Code function: | 2_2_0042B7C3 | |
Source: | Code function: | 2_2_00428FD0 | |
Source: | Code function: | 2_2_0043FFE0 | |
Source: | Code function: | 2_2_0042A7F0 | |
Source: | Code function: | 2_2_0043CFF7 | |
Source: | Code function: | 2_2_00417FB1 | |
Source: | Code function: | 2_2_0043BFB0 | |
Source: | Code function: | 2_2_00D4EA8E | |
Source: | Code function: | 2_2_00D43440 | |
Source: | Code function: | 2_2_00D3DDE2 | |
Source: | Code function: | 2_2_00D50502 | |
Source: | Code function: | 2_2_00D396DB |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 2_2_00438890 |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00D39DBD | |
Source: | Code function: | 2_2_0044819A | |
Source: | Code function: | 2_2_00447BA3 | |
Source: | Code function: | 2_2_00447BA3 | |
Source: | Code function: | 2_2_00447BA3 | |
Source: | Code function: | 2_2_004473BA | |
Source: | Code function: | 2_2_00444CA2 | |
Source: | Code function: | 2_2_0043BF2E | |
Source: | Code function: | 2_2_0043EFB4 | |
Source: | Code function: | 2_2_00D39DBD |
Source: | Registry key monitored for changes: | Jump to behavior | ||
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | System information queried: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | WMI Queries: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | 0_2_00D4B6E8 | |
Source: | Code function: | 0_2_00D4B799 |
Source: | Binary or memory string: |
Source: | API call chain: | graph_2-30315 |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 2_2_0043D760 |
Source: | Code function: | 0_2_00D39A73 |
Source: | Code function: | 0_2_00D6019E | |
Source: | Code function: | 0_2_00D31BA0 | |
Source: | Code function: | 2_2_00D31BA0 |
Source: | Code function: | 0_2_00D47020 |
Source: | Code function: | 0_2_00D39A73 | |
Source: | Code function: | 0_2_00D41A60 | |
Source: | Code function: | 0_2_00D39A67 | |
Source: | Code function: | 0_2_00D396B3 | |
Source: | Code function: | 2_2_00D39A73 | |
Source: | Code function: | 2_2_00D41A60 | |
Source: | Code function: | 2_2_00D39A67 | |
Source: | Code function: | 2_2_00D396B3 |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Code function: | 0_2_00D6019E |
Source: | Memory written: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00D4B0C5 | |
Source: | Code function: | 0_2_00D468FD | |
Source: | Code function: | 0_2_00D4B1B7 | |
Source: | Code function: | 0_2_00D4B110 | |
Source: | Code function: | 0_2_00D4B2BD | |
Source: | Code function: | 0_2_00D4AA37 | |
Source: | Code function: | 0_2_00D463F5 | |
Source: | Code function: | 0_2_00D4AC88 | |
Source: | Code function: | 0_2_00D4AD30 | |
Source: | Code function: | 0_2_00D4AFF0 | |
Source: | Code function: | 0_2_00D4AF83 | |
Source: | Code function: | 2_2_00D4B0C5 | |
Source: | Code function: | 2_2_00D468FD | |
Source: | Code function: | 2_2_00D4B1B7 | |
Source: | Code function: | 2_2_00D4B110 | |
Source: | Code function: | 2_2_00D4B2BD | |
Source: | Code function: | 2_2_00D4AA37 | |
Source: | Code function: | 2_2_00D463F5 | |
Source: | Code function: | 2_2_00D4AC88 | |
Source: | Code function: | 2_2_00D4AD30 | |
Source: | Code function: | 2_2_00D4AFF0 | |
Source: | Code function: | 2_2_00D4AF83 |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00D3A335 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Deobfuscate/Decode Files or Information | Security Account Manager | 241 Security Software Discovery | SMB/Windows Admin Shares | 4 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | 3 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 33 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
45% | ReversingLabs | Win32.Trojan.Generic | ||
39% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
fancywaxxers.shop | 104.21.48.1 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.48.1 | fancywaxxers.shop | United States | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1582939 |
Start date and time: | 2025-01-01 02:56:04 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Loader.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
20:56:55 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.48.1 | Get hash | malicious | CMSBrute | Browse |
| |
Get hash | malicious | FormBook | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
fancywaxxers.shop | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Amadey, LummaC Stealer | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
File type: | |
Entropy (8bit): | 7.822383525403777 |
TrID: |
|
File name: | Loader.exe |
File size: | 822'784 bytes |
MD5: | 0792fce4557cae0687a02e5e41be587a |
SHA1: | 1bac30844ed9b13082a7df999518b0cc59759278 |
SHA256: | 6e7b661fb3b6610bc026dd050824e7faaf3bd3b5fa0b168d941858fc694ba871 |
SHA512: | b7fb793442afa46c3ba8a3066adaf94453a5324bf717904bb564fde1b14471245e3cd77b6bfff4a5c236551ec4f5ee091121fd6827635c4ddb3394dd627e1426 |
SSDEEP: | 12288:h3K1Pp+lMeB8MFA6ln2KKV+FV9cEmRJ3Tn0FA6ln2KKV+FV9cEmRJ3Tn1:lK1PSMZ8A6JoM7cF3gA6JoM7cF3p |
TLSH: | F905015275C0C0B2C5632677A9F9E7B60A3DBD100B629ACF63C81BB68F316C55734A27 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....sg.................H........................@.......................................@.....................................(.. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40a2e0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6773E4A4 [Tue Dec 31 12:33:40 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 019ac8c6e24f80fb88de699b6749f599 |
Instruction |
---|
call 00007FFAA8BF063Ah |
jmp 00007FFAA8BF049Dh |
mov ecx, dword ptr [004307C0h] |
push esi |
push edi |
mov edi, BB40E64Eh |
mov esi, FFFF0000h |
cmp ecx, edi |
je 00007FFAA8BF0636h |
test esi, ecx |
jne 00007FFAA8BF0658h |
call 00007FFAA8BF0661h |
mov ecx, eax |
cmp ecx, edi |
jne 00007FFAA8BF0639h |
mov ecx, BB40E64Fh |
jmp 00007FFAA8BF0640h |
test esi, ecx |
jne 00007FFAA8BF063Ch |
or eax, 00004711h |
shl eax, 10h |
or ecx, eax |
mov dword ptr [004307C0h], ecx |
not ecx |
pop edi |
mov dword ptr [00430800h], ecx |
pop esi |
ret |
push ebp |
mov ebp, esp |
sub esp, 14h |
lea eax, dword ptr [ebp-0Ch] |
xorps xmm0, xmm0 |
push eax |
movlpd qword ptr [ebp-0Ch], xmm0 |
call dword ptr [0042E8D8h] |
mov eax, dword ptr [ebp-08h] |
xor eax, dword ptr [ebp-0Ch] |
mov dword ptr [ebp-04h], eax |
call dword ptr [0042E894h] |
xor dword ptr [ebp-04h], eax |
call dword ptr [0042E890h] |
xor dword ptr [ebp-04h], eax |
lea eax, dword ptr [ebp-14h] |
push eax |
call dword ptr [0042E920h] |
mov eax, dword ptr [ebp-10h] |
lea ecx, dword ptr [ebp-04h] |
xor eax, dword ptr [ebp-14h] |
xor eax, dword ptr [ebp-04h] |
xor eax, ecx |
leave |
ret |
mov eax, 00004000h |
ret |
push 00431AB8h |
call dword ptr [0042E8F8h] |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov al, 01h |
ret |
push 00030000h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2e6c4 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x34000 | 0xe8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x35000 | 0x1b90 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x2a9a8 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x26e40 | 0xc0 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2e834 | 0x148 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x247da | 0x24800 | ba0610d1e4ecb6f5f64959d9eb5b455a | False | 0.5549951840753424 | data | 6.559506263512015 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x26000 | 0x9eb4 | 0xa000 | 53eba87ddc7d2455b0ac2836680b1660 | False | 0.428271484375 | DOS executable (COM) | 4.9181666163124085 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x30000 | 0x2280 | 0x1600 | 112d0c9e43893ae5b7f96d23807996ac | False | 0.39506392045454547 | data | 4.581141173428789 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x33000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x34000 | 0xe8 | 0x200 | 03d6bf5d1e31277fc8fb90374111d794 | False | 0.306640625 | data | 2.344915704357875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x35000 | 0x1b90 | 0x1c00 | 3080b38ba0e27b64b3ab5ca0f93c1c7c | False | 0.7785993303571429 | data | 6.532705218372571 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.BSS | 0x37000 | 0x4b400 | 0x4b400 | f4a6f0ab2f6a1191734ef7d005e64463 | False | 1.0003276837624584 | data | 7.999361309867783 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.BSS | 0x83000 | 0x4b400 | 0x4b400 | f4a6f0ab2f6a1191734ef7d005e64463 | False | 1.0003276837624584 | data | 7.999361309867783 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x34060 | 0x87 | XML 1.0 document, ASCII text | English | United States | 0.8222222222222222 |
DLL | Import |
---|---|
KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-01T02:56:55.706456+0100 | 2058656 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) | 1 | 192.168.2.4 | 61080 | 1.1.1.1 | 53 | UDP |
2025-01-01T02:56:56.188431+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:56.188431+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:56.941241+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:56.941241+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:57.422798+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:57.422798+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:57.893852+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:57.893852+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:58.724005+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.4 | 49732 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:58.724005+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:59.828044+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.4 | 49733 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:56:59.828044+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:00.384585+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49733 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:01.065590+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.4 | 49734 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:01.065590+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:02.521703+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.4 | 49735 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:02.521703+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:04.160117+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.4 | 49736 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:04.160117+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:04.233693+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.4 | 49736 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:06.388204+0100 | 2058657 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) | 1 | 192.168.2.4 | 49737 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:06.388204+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49737 | 104.21.48.1 | 443 | TCP |
2025-01-01T02:57:06.874165+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49737 | 104.21.48.1 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 1, 2025 02:56:55.724112988 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:55.724159002 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:55.724231958 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:55.727045059 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:55.727061033 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.188210964 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.188431025 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.191973925 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.191996098 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.192424059 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.239005089 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.239005089 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.239140987 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.941248894 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.941344023 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.941565990 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.943289042 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.943289042 CET | 49730 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.943351030 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.943377972 CET | 443 | 49730 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.952259064 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.952290058 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:56.952394962 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.952718019 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:56.952728033 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.422725916 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.422797918 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.424338102 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.424341917 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.424561024 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.425796032 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.425825119 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.425860882 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.893853903 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.893924952 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.893950939 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.893981934 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.893987894 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.893997908 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.894153118 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.894167900 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.894212008 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.894355059 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.898560047 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.898588896 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.898610115 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.898614883 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.898653984 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.898669958 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.898674965 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.898710966 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.982398033 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.982453108 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.982537031 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.982614040 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.982614040 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.982784033 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.982796907 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:57.982808113 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:57.982814074 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:58.179162025 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:58.179198027 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:58.179287910 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:58.179841995 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:58.179852962 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:58.723886967 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:58.724004984 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:58.725336075 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:58.725344896 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:58.725548983 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:58.726732016 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:58.726896048 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:58.726926088 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:58.726984978 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:58.726990938 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.323582888 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.323676109 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.323735952 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.323946953 CET | 49732 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.323964119 CET | 443 | 49732 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.373073101 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.373111010 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.373202085 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.373506069 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.373521090 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.827948093 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.828043938 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.829384089 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.829392910 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.829610109 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:56:59.830872059 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.830996037 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:56:59.831026077 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:00.384589911 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:00.384706020 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:00.384789944 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:00.384967089 CET | 49733 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:00.384982109 CET | 443 | 49733 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:00.571120977 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:00.571171999 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:00.571249962 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:00.601761103 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:00.601780891 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:01.065496922 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:01.065589905 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:01.078742981 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:01.078754902 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:01.079081059 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:01.082881927 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:01.086514950 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:01.086564064 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:01.086631060 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:01.086639881 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:01.582303047 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:01.582418919 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:01.582484007 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:01.582593918 CET | 49734 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:01.582609892 CET | 443 | 49734 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:02.061391115 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:02.061431885 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:02.061521053 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:02.061821938 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:02.061836004 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:02.521608114 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:02.521703005 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:02.522911072 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:02.522917986 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:02.523123980 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:02.524277925 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:02.524383068 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:02.524394989 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:03.258507013 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:03.258589983 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:03.258644104 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:03.258840084 CET | 49735 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:03.258861065 CET | 443 | 49735 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:03.706300020 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:03.706341982 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:03.706425905 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:03.706747055 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:03.706767082 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.160037994 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.160116911 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.204164982 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.204186916 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.204416990 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.232280016 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.233014107 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.233050108 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.233170033 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.233203888 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.233338118 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.233382940 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.233515978 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.233546972 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.233733892 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.233771086 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.233942032 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.233969927 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.233980894 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.233999014 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.234138012 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.234160900 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.234191895 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.234333038 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.234360933 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.243324995 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.243551970 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.243587017 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.243611097 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.243632078 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:04.243681908 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:04.248636007 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:05.835031986 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:05.835115910 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:05.835258007 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:05.835381031 CET | 49736 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:05.835402012 CET | 443 | 49736 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:05.905159950 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:05.905210018 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:05.905293941 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:05.905684948 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:05.905697107 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.388115883 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.388204098 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.389559031 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.389576912 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.389801025 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.391045094 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.391072989 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.391115904 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874170065 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874213934 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874244928 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874278069 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874283075 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.874310017 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874326944 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.874357939 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874391079 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.874397993 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874524117 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874558926 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.874561071 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874574900 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.874610901 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.874615908 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.878911972 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.878954887 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.879117012 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.879251957 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.879270077 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Jan 1, 2025 02:57:06.879282951 CET | 49737 | 443 | 192.168.2.4 | 104.21.48.1 |
Jan 1, 2025 02:57:06.879290104 CET | 443 | 49737 | 104.21.48.1 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 1, 2025 02:56:55.706455946 CET | 61080 | 53 | 192.168.2.4 | 1.1.1.1 |
Jan 1, 2025 02:56:55.718822002 CET | 53 | 61080 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 1, 2025 02:56:55.706455946 CET | 192.168.2.4 | 1.1.1.1 | 0x78e1 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 1, 2025 02:56:55.718822002 CET | 1.1.1.1 | 192.168.2.4 | 0x78e1 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
Jan 1, 2025 02:56:55.718822002 CET | 1.1.1.1 | 192.168.2.4 | 0x78e1 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
Jan 1, 2025 02:56:55.718822002 CET | 1.1.1.1 | 192.168.2.4 | 0x78e1 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
Jan 1, 2025 02:56:55.718822002 CET | 1.1.1.1 | 192.168.2.4 | 0x78e1 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
Jan 1, 2025 02:56:55.718822002 CET | 1.1.1.1 | 192.168.2.4 | 0x78e1 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
Jan 1, 2025 02:56:55.718822002 CET | 1.1.1.1 | 192.168.2.4 | 0x78e1 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
Jan 1, 2025 02:56:55.718822002 CET | 1.1.1.1 | 192.168.2.4 | 0x78e1 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 104.21.48.1 | 443 | 2588 | C:\Users\user\Desktop\Loader.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-01 01:56:56 UTC | 264 | OUT | |
2025-01-01 01:56:56 UTC | 8 | OUT | |
2025-01-01 01:56:56 UTC | 1131 | IN | |
2025-01-01 01:56:56 UTC | 7 | IN | |
2025-01-01 01:56:56 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | 2588 | C:\Users\user\Desktop\Loader.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-01 01:56:57 UTC | 265 | OUT | |
2025-01-01 01:56:57 UTC | 52 | OUT | |
2025-01-01 01:56:57 UTC | 1131 | IN | |
2025-01-01 01:56:57 UTC | 238 | IN | |
2025-01-01 01:56:57 UTC | 903 | IN | |
2025-01-01 01:56:57 UTC | 1369 | IN | |
2025-01-01 01:56:57 UTC | 1369 | IN | |
2025-01-01 01:56:57 UTC | 1369 | IN | |
2025-01-01 01:56:57 UTC | 1369 | IN | |
2025-01-01 01:56:57 UTC | 1369 | IN | |
2025-01-01 01:56:57 UTC | 1369 | IN | |
2025-01-01 01:56:57 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49732 | 104.21.48.1 | 443 | 2588 | C:\Users\user\Desktop\Loader.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-01 01:56:58 UTC | 275 | OUT | |
2025-01-01 01:56:58 UTC | 15331 | OUT | |
2025-01-01 01:56:58 UTC | 2789 | OUT | |
2025-01-01 01:56:59 UTC | 1143 | IN | |
2025-01-01 01:56:59 UTC | 20 | IN | |
2025-01-01 01:56:59 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49733 | 104.21.48.1 | 443 | 2588 | C:\Users\user\Desktop\Loader.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-01 01:56:59 UTC | 274 | OUT | |
2025-01-01 01:56:59 UTC | 8741 | OUT | |
2025-01-01 01:57:00 UTC | 1127 | IN | |
2025-01-01 01:57:00 UTC | 20 | IN | |
2025-01-01 01:57:00 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.4 | 49734 | 104.21.48.1 | 443 | 2588 | C:\Users\user\Desktop\Loader.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-01 01:57:01 UTC | 278 | OUT | |
2025-01-01 01:57:01 UTC | 15331 | OUT | |
2025-01-01 01:57:01 UTC | 5081 | OUT | |
2025-01-01 01:57:01 UTC | 1131 | IN | |
2025-01-01 01:57:01 UTC | 20 | IN | |
2025-01-01 01:57:01 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.4 | 49735 | 104.21.48.1 | 443 | 2588 | C:\Users\user\Desktop\Loader.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-01 01:57:02 UTC | 273 | OUT | |
2025-01-01 01:57:02 UTC | 1218 | OUT | |
2025-01-01 01:57:03 UTC | 1136 | IN | |
2025-01-01 01:57:03 UTC | 20 | IN | |
2025-01-01 01:57:03 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.4 | 49736 | 104.21.48.1 | 443 | 2588 | C:\Users\user\Desktop\Loader.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-01 01:57:04 UTC | 280 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:04 UTC | 15331 | OUT | |
2025-01-01 01:57:05 UTC | 1143 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.4 | 49737 | 104.21.48.1 | 443 | 2588 | C:\Users\user\Desktop\Loader.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-01 01:57:06 UTC | 265 | OUT | |
2025-01-01 01:57:06 UTC | 87 | OUT | |
2025-01-01 01:57:06 UTC | 1131 | IN | |
2025-01-01 01:57:06 UTC | 238 | IN | |
2025-01-01 01:57:06 UTC | 1369 | IN | |
2025-01-01 01:57:06 UTC | 1369 | IN | |
2025-01-01 01:57:06 UTC | 1369 | IN | |
2025-01-01 01:57:06 UTC | 1369 | IN | |
2025-01-01 01:57:06 UTC | 1369 | IN | |
2025-01-01 01:57:06 UTC | 1369 | IN | |
2025-01-01 01:57:06 UTC | 1369 | IN | |
2025-01-01 01:57:06 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 20:56:53 |
Start date: | 31/12/2024 |
Path: | C:\Users\user\Desktop\Loader.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd30000 |
File size: | 822'784 bytes |
MD5 hash: | 0792FCE4557CAE0687A02E5E41BE587A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 20:56:53 |
Start date: | 31/12/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 20:56:54 |
Start date: | 31/12/2024 |
Path: | C:\Users\user\Desktop\Loader.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd30000 |
File size: | 822'784 bytes |
MD5 hash: | 0792FCE4557CAE0687A02E5E41BE587A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 8.1% |
Dynamic/Decrypted Code Coverage: | 0.4% |
Signature Coverage: | 1.1% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 35 |
Graph
Function 00D6019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D31C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108libraryfileloaderCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D46642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D320C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D46E2A Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D31DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78librarymemoryloaderCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D472A8 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D47192 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D32010 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D456B7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D314C0 Relevance: 1.8, APIs: 1, Instructions: 308COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D47837 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D38570 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D456F1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B1B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D43440 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B799 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D39A73 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D3A335 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AD30 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D396DB Relevance: 1.7, APIs: 1, Instructions: 242COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B6E8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AFF0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D3DDE2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B110 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B2BD Relevance: 1.5, APIs: 1, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D39A67 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D47020 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D31BA0 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D485B6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D52E9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D44D4C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D3F1F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4F6B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B576 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D3CA12 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4C96E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4A126 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D45170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D449DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 6.5% |
Dynamic/Decrypted Code Coverage: | 5.3% |
Signature Coverage: | 46.7% |
Total number of Nodes: | 304 |
Total number of Limit Nodes: | 19 |
Graph
Function 00412120 Relevance: 131.6, APIs: 3, Strings: 71, Instructions: 2148COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00438890 Relevance: 32.3, APIs: 11, Strings: 7, Instructions: 781memorycomCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02FD1000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004224ED Relevance: 11.7, Strings: 9, Instructions: 416COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004086F0 Relevance: 7.8, APIs: 5, Instructions: 293threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CB18 Relevance: 5.3, Strings: 4, Instructions: 280COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00422A28 Relevance: 3.1, Strings: 2, Instructions: 589COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040A9B0 Relevance: 2.9, Strings: 2, Instructions: 398COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043D760 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00440980 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043F950 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00418C90 Relevance: .2, Instructions: 201COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00440BA0 Relevance: .1, Instructions: 115COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409DEC Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042CC80 Relevance: 3.1, APIs: 2, Instructions: 123COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042CC7E Relevance: 3.1, APIs: 2, Instructions: 100COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040EA88 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043E5F1 Relevance: 3.0, APIs: 2, Instructions: 16COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042CC2C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042CE22 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042CE20 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043D700 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042DC02 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043100D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040CAD0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043BB30 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043BB10 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00423E61 Relevance: 22.3, Strings: 17, Instructions: 1019COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426740 Relevance: 11.8, Strings: 9, Instructions: 599COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409710 Relevance: 9.1, Strings: 7, Instructions: 378COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00425784 Relevance: 8.9, Strings: 7, Instructions: 162COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4AA37 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409814 Relevance: 6.5, Strings: 5, Instructions: 282COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D43440 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D39A73 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042873A Relevance: 4.0, Strings: 3, Instructions: 293COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041AD10 Relevance: 4.0, Strings: 3, Instructions: 237COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00417FB1 Relevance: 3.4, Strings: 2, Instructions: 862COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041DC10 Relevance: 3.3, Strings: 2, Instructions: 781COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043C280 Relevance: 3.3, Strings: 2, Instructions: 771COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00426760 Relevance: 3.1, Strings: 2, Instructions: 590COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041B839 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00414760 Relevance: 2.3, Strings: 1, Instructions: 1046COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00421D90 Relevance: 1.7, Strings: 1, Instructions: 459COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00409240 Relevance: 1.7, Strings: 1, Instructions: 444COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439B49 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042A0A0 Relevance: 1.6, Strings: 1, Instructions: 380COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042A500 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043F040 Relevance: .6, Instructions: 642COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407420 Relevance: .6, Instructions: 625COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043F130 Relevance: .6, Instructions: 574COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004058C0 Relevance: .4, Instructions: 449COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043F2B0 Relevance: .4, Instructions: 446COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00439460 Relevance: .4, Instructions: 425COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043F3E0 Relevance: .4, Instructions: 421COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043F350 Relevance: .4, Instructions: 402COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041E5F0 Relevance: .2, Instructions: 204COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0043F6A0 Relevance: .2, Instructions: 198COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00428490 Relevance: .2, Instructions: 191COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416FC4 Relevance: .2, Instructions: 167COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00416711 Relevance: .2, Instructions: 159COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042C6D2 Relevance: .1, Instructions: 115COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042C675 Relevance: .1, Instructions: 113COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00440CD0 Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408A70 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00434FD0 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00429B60 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042C055 Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402B70 Relevance: .0, Instructions: 47COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042BAC4 Relevance: .0, Instructions: 44COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0042B693 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D31C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108libraryloaderCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D541D2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D485B6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D46642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D52E9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D44D4C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D3F1F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D46E2A Relevance: 7.7, APIs: 5, Instructions: 197COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D320C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4F6B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4B576 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D3CA12 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D4C96E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D3A335 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D45170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D449DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D31DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|