Edit tour
Windows
Analysis Report
hthjjadrthad.exe
Overview
General Information
| Sample name: | hthjjadrthad.exe |
| Analysis ID: | 1583921 |
| MD5: | 8cb303a0d38bfd91163192b53ce3b01d |
| SHA1: | f4634ef2bcd87793c7d926712b419a64337e5c37 |
| SHA256: | 3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122 |
| Tags: | exeinfostealerlummauser-Joker |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
hthjjadrthad.exe (PID: 7292 cmdline: "C:\Users\ user\Deskt op\hthjjad rthad.exe" MD5: 8CB303A0D38BFD91163192B53CE3B01D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["necklacebudi.lat", "sustainskelet.lat", "grannyejh.lat", "aspecteirs.lat", "discokeyus.lat", "clockersspic.click", "crosshuaht.lat", "energyaffai.lat", "rapeflowwj.lat"], "Build id": "yau6Na--957080957"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T21:15:54.737602+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49712 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:56.021354+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49713 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:58.933728+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49714 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:00.200140+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49715 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:01.422433+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49716 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:03.519497+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49717 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:08.681791+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49718 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:11.545327+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49720 | 104.21.85.66 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T21:15:55.525902+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49712 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:58.111101+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49713 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:12.033448+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49720 | 104.21.85.66 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T21:15:55.525902+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49712 | 104.21.85.66 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T21:15:58.111101+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49713 | 104.21.85.66 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T21:16:07.821692+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49717 | 104.21.85.66 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T21:16:08.694065+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.5 | 49718 | 104.21.85.66 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_004B5A41 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00522490 | |
| Source: | Code function: | 0_2_004C20A0 | |
| Source: | Code function: | 0_2_004AE179 | |
| Source: | Code function: | 0_2_004D4AB0 | |
| Source: | Code function: | 0_2_004C4B40 | |
| Source: | Code function: | 0_2_004AD237 | |
| Source: | Code function: | 0_2_004DB530 | |
| Source: | Code function: | 0_2_004A95A0 | |
| Source: | Code function: | 0_2_004A95A0 | |
| Source: | Code function: | 0_2_004A95A0 | |
| Source: | Code function: | 0_2_004ABB9A | |
| Source: | Code function: | 0_2_004ABB9A | |
| Source: | Code function: | 0_2_004C4000 | |
| Source: | Code function: | 0_2_004C4000 | |
| Source: | Code function: | 0_2_004AA0A0 | |
| Source: | Code function: | 0_2_004AC1E5 | |
| Source: | Code function: | 0_2_004C0386 | |
| Source: | Code function: | 0_2_004AA4B5 | |
| Source: | Code function: | 0_2_004B4550 | |
| Source: | Code function: | 0_2_004B884A | |
| Source: | Code function: | 0_2_004C8830 | |
| Source: | Code function: | 0_2_004DA8F0 | |
| Source: | Code function: | 0_2_004C6910 | |
| Source: | Code function: | 0_2_004C89A0 | |
| Source: | Code function: | 0_2_004B69BC | |
| Source: | Code function: | 0_2_004B6A4C | |
| Source: | Code function: | 0_2_004B8A0E | |
| Source: | Code function: | 0_2_004BAD34 | |
| Source: | Code function: | 0_2_004A8F10 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004C4F90 | |
| Source: | Code function: | 0_2_004C4F90 | |
| Source: | Code function: | 0_2_004C4FB0 | |
| Source: | Code function: | 0_2_004AD046 | |
| Source: | Code function: | 0_2_004C1080 | |
| Source: | Code function: | 0_2_004BB1E1 | |
| Source: | Code function: | 0_2_004DB220 | |
| Source: | Code function: | 0_2_004A73D0 | |
| Source: | Code function: | 0_2_004A73D0 | |
| Source: | Code function: | 0_2_004C93A0 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B75F2 | |
| Source: | Code function: | 0_2_004B75F2 | |
| Source: | Code function: | 0_2_004BD6B0 | |
| Source: | Code function: | 0_2_004BD6B0 | |
| Source: | Code function: | 0_2_004B5753 | |
| Source: | Code function: | 0_2_004C1723 | |
| Source: | Code function: | 0_2_004C1723 | |
| Source: | Code function: | 0_2_004B780A | |
| Source: | Code function: | 0_2_004BB830 | |
| Source: | Code function: | 0_2_004BFA60 | |
| Source: | Code function: | 0_2_004D7E80 | |
| Source: | Code function: | 0_2_004ADF11 | |
| Source: | Code function: | 0_2_004A7FD0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0054A650 | |
| Source: | Code function: | 0_2_0054A634 | |
| Source: | Code function: | 0_2_0054A6B8 | |
| Source: | Code function: | 0_2_0054A710 | |
| Source: | Code function: | 0_2_0054A7F0 | |
| Source: | Code function: | 0_2_0054A070 | |
| Source: | Code function: | 0_2_0054A028 | |
| Source: | Code function: | 0_2_0054A0B0 | |
| Source: | Code function: | 0_2_0054A1E0 | |
| Source: | Code function: | 0_2_0054A180 | |
| Source: | Code function: | 0_2_0054A27C | |
| Source: | Code function: | 0_2_0054A2C4 | |
| Source: | Code function: | 0_2_0054A2E0 | |
| Source: | Code function: | 0_2_0054A36C | |
| Source: | Code function: | 0_2_0054A338 | |
| Source: | Code function: | 0_2_0054A3F4 | |
| Source: | Code function: | 0_2_0054A43C | |
| Source: | Code function: | 0_2_0054A4EC | |
| Source: | Code function: | 0_2_0054A48C | |
| Source: | Code function: | 0_2_0054A558 | |
| Source: | Code function: | 0_2_0054A53C | |
| Source: | Code function: | 0_2_0054A5EC | |
| Source: | Code function: | 0_2_0054A58C | |
| Source: | Code function: | 0_2_0054A684 | |
| Source: | Code function: | 0_2_0054A778 | |
| Source: | Code function: | 0_2_00549B50 | |
| Source: | Code function: | 0_2_00549BE4 | |
| Source: | Code function: | 0_2_00549BB0 | |
| Source: | Code function: | 0_2_00549C50 | |
| Source: | Code function: | 0_2_00549CF8 | |
| Source: | Code function: | 0_2_00549CA0 | |
| Source: | Code function: | 0_2_00549D60 | |
| Source: | Code function: | 0_2_00549DE0 | |
| Source: | Code function: | 0_2_00549D8C | |
| Source: | Code function: | 0_2_00549E6C | |
| Source: | Code function: | 0_2_00549E14 | |
| Source: | Code function: | 0_2_00549F54 | |
| Source: | Code function: | 0_2_00549F74 | |
| Source: | Code function: | 0_2_00549F04 | |
| Source: | Code function: | 0_2_00549FE8 | |
| Source: | Code function: | 0_2_00549FB4 | |
| Source: | Code function: | 0_2_005A8CA4 | |
| Source: | Code function: | 0_2_004C20A0 | |
| Source: | Code function: | 0_2_004C0400 | |
| Source: | Code function: | 0_2_004DC430 | |
| Source: | Code function: | 0_2_004A87A0 | |
| Source: | Code function: | 0_2_004D4AB0 | |
| Source: | Code function: | 0_2_004C4B40 | |
| Source: | Code function: | 0_2_004A95A0 | |
| Source: | Code function: | 0_2_004DB770 | |
| Source: | Code function: | 0_2_004D79A0 | |
| Source: | Code function: | 0_2_004B5A41 | |
| Source: | Code function: | 0_2_004DBB40 | |
| Source: | Code function: | 0_2_004ABB9A | |
| Source: | Code function: | 0_2_004C4000 | |
| Source: | Code function: | 0_2_004A6160 | |
| Source: | Code function: | 0_2_004C611F | |
| Source: | Code function: | 0_2_004DC120 | |
| Source: | Code function: | 0_2_004A8260 | |
| Source: | Code function: | 0_2_005A8264 | |
| Source: | Code function: | 0_2_004D4200 | |
| Source: | Code function: | 0_2_004BC220 | |
| Source: | Code function: | 0_2_004A42E0 | |
| Source: | Code function: | 0_2_004D82A0 | |
| Source: | Code function: | 0_2_004C4320 | |
| Source: | Code function: | 0_2_005F0434 | |
| Source: | Code function: | 0_2_004B4550 | |
| Source: | Code function: | 0_2_004BA500 | |
| Source: | Code function: | 0_2_004A65F0 | |
| Source: | Code function: | 0_2_005A8600 | |
| Source: | Code function: | 0_2_004BE7E0 | |
| Source: | Code function: | 0_2_004C2780 | |
| Source: | Code function: | 0_2_005F680C | |
| Source: | Code function: | 0_2_0057682C | |
| Source: | Code function: | 0_2_004AA8D0 | |
| Source: | Code function: | 0_2_005FA8C4 | |
| Source: | Code function: | 0_2_004DA960 | |
| Source: | Code function: | 0_2_004A89C0 | |
| Source: | Code function: | 0_2_004C29F0 | |
| Source: | Code function: | 0_2_005A8A40 | |
| Source: | Code function: | 0_2_005C8A04 | |
| Source: | Code function: | 0_2_004BCA10 | |
| Source: | Code function: | 0_2_004C2B51 | |
| Source: | Code function: | 0_2_004ACBF0 | |
| Source: | Code function: | 0_2_004A2B90 | |
| Source: | Code function: | 0_2_0055ABB0 | |
| Source: | Code function: | 0_2_00602C38 | |
| Source: | Code function: | 0_2_004A4C10 | |
| Source: | Code function: | 0_2_00564C0C | |
| Source: | Code function: | 0_2_004B8CC2 | |
| Source: | Code function: | 0_2_004DACE0 | |
| Source: | Code function: | 0_2_005FCD68 | |
| Source: | Code function: | 0_2_004BCD70 | |
| Source: | Code function: | 0_2_005EEE4C | |
| Source: | Code function: | 0_2_004A8F10 | |
| Source: | Code function: | 0_2_004B6F27 | |
| Source: | Code function: | 0_2_004A2F30 | |
| Source: | Code function: | 0_2_004AEFD0 | |
| Source: | Code function: | 0_2_00532FF0 | |
| Source: | Code function: | 0_2_005DCFF0 | |
| Source: | Code function: | 0_2_004C4F90 | |
| Source: | Code function: | 0_2_005F905C | |
| Source: | Code function: | 0_2_00601048 | |
| Source: | Code function: | 0_2_005FD01C | |
| Source: | Code function: | 0_2_004C1080 | |
| Source: | Code function: | 0_2_005F713C | |
| Source: | Code function: | 0_2_004A9180 | |
| Source: | Code function: | 0_2_004B5180 | |
| Source: | Code function: | 0_2_004BD180 | |
| Source: | Code function: | 0_2_004A73D0 | |
| Source: | Code function: | 0_2_004AB455 | |
| Source: | Code function: | 0_2_004BD4C0 | |
| Source: | Code function: | 0_2_005C3498 | |
| Source: | Code function: | 0_2_004B154E | |
| Source: | Code function: | 0_2_004B9500 | |
| Source: | Code function: | 0_2_004B75F2 | |
| Source: | Code function: | 0_2_004D55F0 | |
| Source: | Code function: | 0_2_004BD6B0 | |
| Source: | Code function: | 0_2_004B5753 | |
| Source: | Code function: | 0_2_004C1723 | |
| Source: | Code function: | 0_2_004B780A | |
| Source: | Code function: | 0_2_004BB830 | |
| Source: | Code function: | 0_2_005E3958 | |
| Source: | Code function: | 0_2_0053D97C | |
| Source: | Code function: | 0_2_004A5900 | |
| Source: | Code function: | 0_2_004A3930 | |
| Source: | Code function: | 0_2_005CBA18 | |
| Source: | Code function: | 0_2_005A5AC8 | |
| Source: | Code function: | 0_2_005C7AC8 | |
| Source: | Code function: | 0_2_004C5AD0 | |
| Source: | Code function: | 0_2_00585C28 | |
| Source: | Code function: | 0_2_004C5D06 | |
| Source: | Code function: | 0_2_004A5DC0 | |
| Source: | Code function: | 0_2_005A5D94 | |
| Source: | Code function: | 0_2_004BBE77 | |
| Source: | Code function: | 0_2_004DBE00 | |
| Source: | Code function: | 0_2_004D7E80 | |
| Source: | Code function: | 0_2_005E3E80 | |
| Source: | Code function: | 0_2_005CFEB0 | |
| Source: | Code function: | 0_2_005CBF48 | |
| Source: | Code function: | 0_2_0065DF40 | |
| Source: | Code function: | 0_2_005A5F24 | |
| Source: | Code function: | 0_2_004D3FA0 | |
| Source: | Code function: | 0_2_02A93988 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00597A49 | |
| Source: | Code function: | 0_2_00506078 | |
| Source: | Code function: | 0_2_005A212C | |
| Source: | Code function: | 0_2_0053A118 | |
| Source: | Code function: | 0_2_0053A0E0 | |
| Source: | Code function: | 0_2_00580184 | |
| Source: | Code function: | 0_2_005DA148 | |
| Source: | Code function: | 0_2_0051C1CF | |
| Source: | Code function: | 0_2_0051C264 | |
| Source: | Code function: | 0_2_005721B8 | |
| Source: | Code function: | 0_2_0053E1C4 | |
| Source: | Code function: | 0_2_0055E314 | |
| Source: | Code function: | 0_2_0055E2BB | |
| Source: | Code function: | 0_2_005DC38C | |
| Source: | Code function: | 0_2_0055E380 | |
| Source: | Code function: | 0_2_0055E3D7 | |
| Source: | Code function: | 0_2_005A63B8 | |
| Source: | Code function: | 0_2_005D4434 | |
| Source: | Code function: | 0_2_0050E3F8 | |
| Source: | Code function: | 0_2_005DC3C4 | |
| Source: | Code function: | 0_2_005A04C0 | |
| Source: | Code function: | 0_2_005F6452 | |
| Source: | Code function: | 0_2_0057E5AE | |
| Source: | Code function: | 0_2_0050E59C | |
| Source: | Code function: | 0_2_0055C57D | |
| Source: | Code function: | 0_2_00662573 | |
| Source: | Code function: | 0_2_005205E8 | |
| Source: | Code function: | 0_2_0050E667 | |
| Source: | Code function: | 0_2_0050C69A | |
| Source: | Code function: | 0_2_0058673F | |
| Source: | Code function: | 0_2_0050E687 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00522490 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_004D9410 | |
| Source: | Code function: | 0_2_02A943A4 | |
| Source: | Code function: | 0_2_02A94547 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_005A7268 | |
| Source: | Code function: | 0_2_00659208 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00548CC0 | |
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 221 Security Software Discovery | Remote Desktop Protocol | 4 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 4 Obfuscated Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 12 Software Packing | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 41 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 91% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 100% | Avira | HEUR/AGEN.1314134 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| clockersspic.click | 104.21.85.66 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | unknown | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.85.66 | clockersspic.click | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1583921 |
| Start date and time: | 2025-01-03 21:15:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 18s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | hthjjadrthad.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.190.159.73, 20.109.210.53, 13.107.246.45
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: hthjjadrthad.exe
| Time | Type | Description |
|---|---|---|
| 15:15:54 | API Interceptor |
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | DBatLoader, MassLogger RAT, PureLog Stealer | Browse |
| |
| Get hash | malicious | CAPTCHA Scam ClickFix | Browse |
| ||
| Get hash | malicious | DCRat | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | DBatLoader, MassLogger RAT, PureLog Stealer | Browse |
| |
| Get hash | malicious | DBatLoader, FormBook | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | DBatLoader, MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.988696279208119 |
| TrID: |
|
| File name: | hthjjadrthad.exe |
| File size: | 1'268'224 bytes |
| MD5: | 8cb303a0d38bfd91163192b53ce3b01d |
| SHA1: | f4634ef2bcd87793c7d926712b419a64337e5c37 |
| SHA256: | 3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122 |
| SHA512: | 4d3f3b2ab4651548bb23b58d23e595c14760c8e1da7729a59d1d28ae9cd4930045f1873ad54464383074afbb6c505bb0a3fd87021e5a9e89331e0972c7c3387c |
| SSDEEP: | 24576:EDnubmjlREOivWlyVPWemgkv2MtQnHnejg6EQ6EqmgiPT:OqsbEwS/Dy1qxQ6EqY |
| TLSH: | 8C4533441E91FBF0D305AAF4C59A4964431A9F96342FAF510EAF4C574EFEA5C0E202EE |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....6_g..........................................@...........................;...........@................................. @-.... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x41e6c0 |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x675F361B [Sun Dec 15 20:03:39 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 71cc5af9daad65e58c6f29c42cdf9201 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 00401000h |
| call 00007FC4C890E326h |
| call far 5DE5h : 8B10C483h |
| jmp 00007FC4C8CA7439h |
| jno 00007FC4C890E36Fh |
| push esi |
| jmp 00007FC4EEAFBA7Ch |
| jne 00007FC4C890E39Dh |
| and ebx, ecx |
| cmp bh, bh |
| mov al, byte ptr [86C05068h] |
| into |
| mov bp, fs |
| aam 17h |
| bound eax, dword ptr [edi+ebx*8-53h] |
| xchg eax, edx |
| push ebp |
| or dword ptr [edx+46DCD4DAh], ebp |
| lodsd |
| dec ecx |
| cdq |
| inc ecx |
| jmp far 417Dh : 374977E1h |
| sal dword ptr [ecx+72h], cl |
| add ebp, eax |
| pshufw mm4, qword ptr [esi], 50h |
| add dh, byte ptr [eax-56h] |
| hlt |
| add dword ptr [edi+5CA14F18h], eax |
| jl 00007FC4C890E371h |
| and esi, dword ptr [edi] |
| pop ds |
| mov bl, 84h |
| int C9h |
| push ss |
| jle 00007FC4C890E323h |
| jbe 00007FC4C890E31Fh |
| aad 98h |
| scasb |
| sbb eax, 23555BC5h |
| lahf |
| popfd |
| lodsd |
| test al, 2Bh |
| adc eax, F53A7B2Bh |
| aam CAh |
| wait |
| xor ebx, dword ptr [ebp-6Eh] |
| lodsd |
| test cl, FFFFFFCAh |
| inc esi |
| into |
| push ss |
| push ebp |
| dec ebp |
| push ebp |
| cmc |
| movsb |
| loopne 00007FC4C890E39Ah |
| jp 00007FC4C890E356h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2d4020 | 0x214 | .data |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2d4000 | 0xc | .data |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| 0x1000 | 0x3c000 | 0x1ee00 | 14da312f7b3fb99572bd5cc130cbac72 | False | 0.9973668395748988 | data | 7.996796575455478 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x3d000 | 0x3000 | 0xe00 | 755aeebb276de7cab39558d5dd165699 | False | 0.9757254464285714 | data | 7.847458728276635 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x40000 | 0x10000 | 0x2e00 | 1d18e9b87e32f0589fff2dc2b7cebb9d | False | 0.9814028532608695 | COM executable for DOS | 7.94106645050363 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x50000 | 0x1000 | 0x200 | efebc7032129c08503412fcbeb1e096a | False | 0.04296875 | data | 0.1833387916558982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x51000 | 0x4000 | 0x2200 | 15c53adce10ff06578b0fa43e2fe0537 | False | 0.9555376838235294 | data | 7.842449506195032 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x55000 | 0x27f000 | 0x2ba00 | bdbd9ac0030aa80ac8b90095a1090ff9 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| .data | 0x2d4000 | 0xe5000 | 0xe4e00 | fd988c8d7a5589c8d61ab3d57569de78 | False | 0.9971177805843802 | data | 7.981701136395229 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| kernel32.dll | GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA |
| user32.dll | MessageBoxA |
| advapi32.dll | RegCloseKey |
| oleaut32.dll | SysFreeString |
| gdi32.dll | CreateFontA |
| shell32.dll | ShellExecuteA |
| version.dll | GetFileVersionInfoA |
| ole32.dll | CoCreateInstance |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-03T21:15:54.737602+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49712 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:55.525902+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49712 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:55.525902+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49712 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:56.021354+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49713 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:58.111101+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49713 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:58.111101+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49713 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:15:58.933728+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49714 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:00.200140+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49715 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:01.422433+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49716 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:03.519497+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49717 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:07.821692+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49717 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:08.681791+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49718 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:08.694065+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.5 | 49718 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:11.545327+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49720 | 104.21.85.66 | 443 | TCP |
| 2025-01-03T21:16:12.033448+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49720 | 104.21.85.66 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 3, 2025 21:15:54.253422976 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:54.253494024 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:54.253561974 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:54.256691933 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:54.256711006 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:54.737523079 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:54.737601995 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:54.739308119 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:54.739322901 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:54.739804029 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:54.783616066 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:54.783646107 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:54.783739090 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:55.525903940 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:55.526021957 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:55.526237965 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:55.527782917 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:55.527807951 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:55.527820110 CET | 49712 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:55.527826071 CET | 443 | 49712 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:55.535218000 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:55.535270929 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:55.535358906 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:55.535645008 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:55.535664082 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:56.021218061 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:56.021353960 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:56.023076057 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:56.023086071 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:56.023344994 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:56.024447918 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:56.024481058 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:56.024538040 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111140966 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111188889 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111232042 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111279011 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111329079 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111437082 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.111437082 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.111452103 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111500978 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.111594915 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111656904 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.111700058 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.111706972 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.112297058 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.112349033 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.112354994 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.115979910 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.116027117 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.116034031 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.161851883 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.203161955 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.203233004 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.203283072 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.203294039 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.203330994 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.203377962 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.203463078 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.203476906 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.203486919 CET | 49713 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.203491926 CET | 443 | 49713 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.448661089 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.448721886 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.448801041 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.449103117 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.449120045 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.933531046 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.933727980 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.934930086 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.934942961 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.935192108 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:58.936491966 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.936646938 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:58.936691999 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:59.575301886 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:59.575421095 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:59.575520992 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:59.575623035 CET | 49714 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:59.575644970 CET | 443 | 49714 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:59.712796926 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:59.712835073 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:15:59.712901115 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:59.713186026 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:15:59.713197947 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.200054884 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.200139999 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.201334000 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.201348066 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.201607943 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.202770948 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.202884912 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.202915907 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.202974081 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.243335962 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.755100965 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.755186081 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.755347013 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.755409956 CET | 49715 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.755426884 CET | 443 | 49715 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.947016001 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.947065115 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:00.947161913 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.947469950 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:00.947485924 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:01.422274113 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:01.422432899 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:01.423491955 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:01.423506975 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:01.423734903 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:01.424674034 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:01.424793005 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:01.424819946 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:01.424906015 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:01.424916029 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:02.701093912 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:02.701215029 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:02.701334953 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:02.701497078 CET | 49716 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:02.701527119 CET | 443 | 49716 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:02.974776983 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:02.974831104 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:02.974939108 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:02.975220919 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:02.975235939 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:03.519361973 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:03.519496918 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:03.521332979 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:03.521353006 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:03.521673918 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:03.525851011 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:03.525963068 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:03.525974035 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:07.821693897 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:07.821793079 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:07.821847916 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:07.821965933 CET | 49717 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:07.821985960 CET | 443 | 49717 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.222135067 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.222209930 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.222337008 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.222657919 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.222672939 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.681577921 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.681791067 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.682895899 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.682917118 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.683159113 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.692662001 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.693707943 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.693738937 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.693842888 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.693873882 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.693972111 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.693994999 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.694123983 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.694154978 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.694293022 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.694323063 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.694469929 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.694495916 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.694504976 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.694519043 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.694674969 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.694700003 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.694721937 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.694856882 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.694895029 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.702634096 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.702836990 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.702871084 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:08.702902079 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.702946901 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:08.704109907 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.067852020 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.067962885 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.068025112 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.068440914 CET | 49718 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.068464994 CET | 443 | 49718 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.076875925 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.076936007 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.077037096 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.077280045 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.077305079 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.545186043 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.545326948 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.547954082 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.547959089 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.548196077 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:11.549386024 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.549413919 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:11.549472094 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.033447981 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.033500910 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.033540964 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.033551931 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:12.033561945 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.033600092 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.033612013 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:12.033617973 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.033662081 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:12.033668041 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.034297943 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.034331083 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.034342051 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:12.034348965 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.034395933 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:12.034403086 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.038160086 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.038209915 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:12.038305998 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:12.038316965 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Jan 3, 2025 21:16:12.038341999 CET | 49720 | 443 | 192.168.2.5 | 104.21.85.66 |
| Jan 3, 2025 21:16:12.038347960 CET | 443 | 49720 | 104.21.85.66 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 3, 2025 21:15:54.202797890 CET | 50455 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 3, 2025 21:15:54.218163013 CET | 53 | 50455 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 3, 2025 21:15:54.202797890 CET | 192.168.2.5 | 1.1.1.1 | 0x85fb | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 3, 2025 21:15:54.218163013 CET | 1.1.1.1 | 192.168.2.5 | 0x85fb | No error (0) | 104.21.85.66 | A (IP address) | IN (0x0001) | false | ||
| Jan 3, 2025 21:15:54.218163013 CET | 1.1.1.1 | 192.168.2.5 | 0x85fb | No error (0) | 172.67.203.16 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49712 | 104.21.85.66 | 443 | 7292 | C:\Users\user\Desktop\hthjjadrthad.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-03 20:15:54 UTC | 265 | OUT | |
| 2025-01-03 20:15:54 UTC | 8 | OUT | |
| 2025-01-03 20:15:55 UTC | 1129 | IN | |
| 2025-01-03 20:15:55 UTC | 7 | IN | |
| 2025-01-03 20:15:55 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49713 | 104.21.85.66 | 443 | 7292 | C:\Users\user\Desktop\hthjjadrthad.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-03 20:15:56 UTC | 266 | OUT | |
| 2025-01-03 20:15:56 UTC | 51 | OUT | |
| 2025-01-03 20:15:58 UTC | 1132 | IN | |
| 2025-01-03 20:15:58 UTC | 237 | IN | |
| 2025-01-03 20:15:58 UTC | 1369 | IN | |
| 2025-01-03 20:15:58 UTC | 1369 | IN | |
| 2025-01-03 20:15:58 UTC | 1369 | IN | |
| 2025-01-03 20:15:58 UTC | 1369 | IN | |
| 2025-01-03 20:15:58 UTC | 1369 | IN | |
| 2025-01-03 20:15:58 UTC | 1369 | IN | |
| 2025-01-03 20:15:58 UTC | 1369 | IN | |
| 2025-01-03 20:15:58 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49714 | 104.21.85.66 | 443 | 7292 | C:\Users\user\Desktop\hthjjadrthad.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-03 20:15:58 UTC | 275 | OUT | |
| 2025-01-03 20:15:58 UTC | 12785 | OUT | |
| 2025-01-03 20:15:59 UTC | 1128 | IN | |
| 2025-01-03 20:15:59 UTC | 20 | IN | |
| 2025-01-03 20:15:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49715 | 104.21.85.66 | 443 | 7292 | C:\Users\user\Desktop\hthjjadrthad.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-03 20:16:00 UTC | 281 | OUT | |
| 2025-01-03 20:16:00 UTC | 15063 | OUT | |
| 2025-01-03 20:16:00 UTC | 1136 | IN | |
| 2025-01-03 20:16:00 UTC | 20 | IN | |
| 2025-01-03 20:16:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49716 | 104.21.85.66 | 443 | 7292 | C:\Users\user\Desktop\hthjjadrthad.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-03 20:16:01 UTC | 275 | OUT | |
| 2025-01-03 20:16:01 UTC | 15331 | OUT | |
| 2025-01-03 20:16:01 UTC | 5186 | OUT | |
| 2025-01-03 20:16:02 UTC | 1134 | IN | |
| 2025-01-03 20:16:02 UTC | 20 | IN | |
| 2025-01-03 20:16:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49717 | 104.21.85.66 | 443 | 7292 | C:\Users\user\Desktop\hthjjadrthad.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-03 20:16:03 UTC | 281 | OUT | |
| 2025-01-03 20:16:03 UTC | 1233 | OUT | |
| 2025-01-03 20:16:07 UTC | 1130 | IN | |
| 2025-01-03 20:16:07 UTC | 20 | IN | |
| 2025-01-03 20:16:07 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49718 | 104.21.85.66 | 443 | 7292 | C:\Users\user\Desktop\hthjjadrthad.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-03 20:16:08 UTC | 283 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:08 UTC | 15331 | OUT | |
| 2025-01-03 20:16:11 UTC | 1141 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49720 | 104.21.85.66 | 443 | 7292 | C:\Users\user\Desktop\hthjjadrthad.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-03 20:16:11 UTC | 266 | OUT | |
| 2025-01-03 20:16:11 UTC | 86 | OUT | |
| 2025-01-03 20:16:12 UTC | 1131 | IN | |
| 2025-01-03 20:16:12 UTC | 238 | IN | |
| 2025-01-03 20:16:12 UTC | 1369 | IN | |
| 2025-01-03 20:16:12 UTC | 1369 | IN | |
| 2025-01-03 20:16:12 UTC | 1369 | IN | |
| 2025-01-03 20:16:12 UTC | 1369 | IN | |
| 2025-01-03 20:16:12 UTC | 1369 | IN | |
| 2025-01-03 20:16:12 UTC | 1369 | IN | |
| 2025-01-03 20:16:12 UTC | 1369 | IN | |
| 2025-01-03 20:16:12 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 15:15:53 |
| Start date: | 03/01/2025 |
| Path: | C:\Users\user\Desktop\hthjjadrthad.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4a0000 |
| File size: | 1'268'224 bytes |
| MD5 hash: | 8CB303A0D38BFD91163192B53CE3B01D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 3.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 73.9% |
| Total number of Nodes: | 184 |
| Total number of Limit Nodes: | 13 |
Graph
Function 004C0400 Relevance: 35.6, Strings: 28, Instructions: 592COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C1723 Relevance: 16.1, Strings: 12, Instructions: 1124COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A95A0 Relevance: 11.6, Strings: 9, Instructions: 349COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C20A0 Relevance: 8.0, Strings: 6, Instructions: 533COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C4B40 Relevance: 4.1, Strings: 3, Instructions: 395COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AD237 Relevance: 4.1, Strings: 3, Instructions: 349COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00659208 Relevance: 3.9, Strings: 3, Instructions: 184COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A710 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52filenativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A634 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DB530 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B5A41 Relevance: 1.8, APIs: 1, Instructions: 317COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D9410 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A87A0 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AE179 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004ABB9A Relevance: 1.4, Strings: 1, Instructions: 169COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DB770 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A8CA4 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DC430 Relevance: .3, Instructions: 326COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DBB40 Relevance: .3, Instructions: 289COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D79A0 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00548CC0 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00522490 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A7F0 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D93B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02A93EF0 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02A93FF6 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004ACB80 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D7950 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004ACBBE Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00662598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005C3498 Relevance: 40.7, Strings: 32, Instructions: 740COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C2B51 Relevance: 29.8, Strings: 23, Instructions: 1023COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004ACBF0 Relevance: 21.5, Strings: 17, Instructions: 287COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B154E Relevance: 13.0, Strings: 10, Instructions: 533COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A8F10 Relevance: 12.8, Strings: 10, Instructions: 268COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B780A Relevance: 12.3, Strings: 9, Instructions: 1088COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BFA60 Relevance: 11.7, Strings: 9, Instructions: 430COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AB455 Relevance: 11.6, Strings: 9, Instructions: 375COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C4F90 Relevance: 10.4, Strings: 8, Instructions: 392COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AA8D0 Relevance: 9.1, Strings: 7, Instructions: 391COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B9500 Relevance: 7.4, Strings: 5, Instructions: 1156COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BD6B0 Relevance: 7.1, Strings: 5, Instructions: 891COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005F905C Relevance: 6.9, Strings: 5, Instructions: 623COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A9180 Relevance: 6.7, Strings: 5, Instructions: 415COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005EEE4C Relevance: 6.4, Strings: 5, Instructions: 179COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B6F27 Relevance: 5.6, Strings: 4, Instructions: 581COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C4320 Relevance: 5.4, Strings: 4, Instructions: 415COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B8CC2 Relevance: 5.4, Strings: 4, Instructions: 367COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C4000 Relevance: 5.3, Strings: 4, Instructions: 256COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D55F0 Relevance: 4.3, Strings: 3, Instructions: 510COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BC220 Relevance: 4.1, Strings: 3, Instructions: 363COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BBE77 Relevance: 4.1, Strings: 3, Instructions: 335COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B75F2 Relevance: 4.0, Strings: 3, Instructions: 272COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C2780 Relevance: 4.0, Strings: 3, Instructions: 239COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B5753 Relevance: 4.0, Strings: 3, Instructions: 220COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A36C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A180 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A48C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549B50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549E6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549CA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549BE4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativethreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549F04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A028 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A3F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A5EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549FE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A338 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A43C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A4EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549DE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A2C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A53C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A4C10 Relevance: 3.3, Strings: 2, Instructions: 805COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D82A0 Relevance: 3.2, Strings: 2, Instructions: 702COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00602C38 Relevance: 3.1, Strings: 2, Instructions: 620COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B5180 Relevance: 3.0, Strings: 2, Instructions: 466COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005C8A04 Relevance: 2.9, Strings: 2, Instructions: 390COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C5AD0 Relevance: 2.9, Strings: 2, Instructions: 362COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C5D06 Relevance: 2.8, Strings: 2, Instructions: 346COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A42E0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DBE00 Relevance: 2.8, Strings: 2, Instructions: 306COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CBA18 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C29F0 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BAD34 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B6A4C Relevance: 2.6, Strings: 2, Instructions: 70COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C4FB0 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00564C0C Relevance: 2.2, Strings: 1, Instructions: 905COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B4550 Relevance: 2.0, Strings: 1, Instructions: 717COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005F713C Relevance: 1.9, Strings: 1, Instructions: 681COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CFEB0 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BB830 Relevance: 1.7, Strings: 1, Instructions: 481COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C1080 Relevance: 1.7, Strings: 1, Instructions: 451COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DACE0 Relevance: 1.6, Strings: 1, Instructions: 399COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FA8C4 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BCA10 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549CF8 Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A58C Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A070 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A0B0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A1E0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549F74 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A558 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549BB0 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549FB4 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0054A27C Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549D60 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A5DC0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00549F54 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00532FF0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C93A0 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005F0434 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E3958 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BD180 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D7E80 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005CBF48 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AEFD0 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A8264 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A8600 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A8A40 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B884A Relevance: 1.4, Strings: 1, Instructions: 168COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B8A0E Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BB1E1 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DB220 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A7268 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A89C0 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004ADF11 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B69BC Relevance: 1.3, Strings: 1, Instructions: 58COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AD046 Relevance: 1.3, Strings: 1, Instructions: 12COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A65F0 Relevance: .7, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A2F30 Relevance: .7, Instructions: 657COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A73D0 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A3930 Relevance: .6, Instructions: 600COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BE7E0 Relevance: .6, Instructions: 595COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005C7AC8 Relevance: .5, Instructions: 521COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00585C28 Relevance: .4, Instructions: 405COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A5900 Relevance: .4, Instructions: 400COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BCD70 Relevance: .3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A8260 Relevance: .3, Instructions: 321COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005DCFF0 Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0065DF40 Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DC120 Relevance: .3, Instructions: 306COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A6160 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02A93988 Relevance: .3, Instructions: 293COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D4200 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0057682C Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005E3E80 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0053D97C Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005F680C Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA500 Relevance: .2, Instructions: 235COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DA960 Relevance: .2, Instructions: 227COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FD01C Relevance: .2, Instructions: 222COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0055ABB0 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C611F Relevance: .2, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005FCD68 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004D3FA0 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A5AC8 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BD4C0 Relevance: .2, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C8830 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00601048 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A5D94 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005A5F24 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C6910 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A7FD0 Relevance: .1, Instructions: 107COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004A2B90 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02A94547 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C89A0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02A943A4 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AA4B5 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004C0386 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DA8F0 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AC1E5 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AA0A0 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|