Edit tour
Windows
Analysis Report
un30brGAKP.exe
Overview
General Information
| Sample name: | un30brGAKP.exerenamed because original name is a hash value |
| Original sample name: | 36db2173d6f06d276b72ea725d9a81ac.exe |
| Analysis ID: | 1584669 |
| MD5: | 36db2173d6f06d276b72ea725d9a81ac |
| SHA1: | ac1d252fe08dee826c9bc789cabae47635b3e9b0 |
| SHA256: | c436b9f7bc178e51eb1380a5affa9c1ce0acf980a9cf7a193a36edef132e5c00 |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Classification
- System is w10x64
un30brGAKP.exe (PID: 6868 cmdline: "C:\Users\ user\Deskt op\un30brG AKP.exe" MD5: 36DB2173D6F06D276B72EA725D9A81AC)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["wholersorie.shop", "tirepublicerj.shop", "nearycrepso.shop", "rabidcowse.shop", "framekgirus.shop", "abruptyopsn.shop", "impossiblekdo.click", "noisycuttej.shop", "cloudewahsj.shop"], "Build id": "LPnhqo--ewwjplqmoyou"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-06T07:43:59.799217+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:00.751157+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:02.122964+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:03.372318+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:05.137175+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:06.687867+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:08.248651+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:10.852062+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-06T07:44:00.266309+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:01.249780+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:11.323779+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-06T07:44:00.266309+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-06T07:44:01.249780+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-06T07:44:02.783191+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-06T07:44:08.252673+0100 | 2843864 | 1 | A Network Trojan was detected | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_00D95050 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00E03490 | |
| Source: | Code function: | 0_2_00DBEC20 | |
| Source: | Code function: | 0_2_00DBEC20 | |
| Source: | Code function: | 0_2_00DBED50 | |
| Source: | Code function: | 0_2_00D8CFA8 | |
| Source: | Code function: | 0_2_00D95050 | |
| Source: | Code function: | 0_2_00DBB150 | |
| Source: | Code function: | 0_2_00DBB150 | |
| Source: | Code function: | 0_2_00D8D3E9 | |
| Source: | Code function: | 0_2_00DA5A60 | |
| Source: | Code function: | 0_2_00D8DDBE | |
| Source: | Code function: | 0_2_00D89D30 | |
| Source: | Code function: | 0_2_00DBFFB0 | |
| Source: | Code function: | 0_2_00DC0130 | |
| Source: | Code function: | 0_2_00DC0130 | |
| Source: | Code function: | 0_2_00D943D0 | |
| Source: | Code function: | 0_2_00D8A2B5 | |
| Source: | Code function: | 0_2_00D8A6AA | |
| Source: | Code function: | 0_2_00DA8890 | |
| Source: | Code function: | 0_2_00D890B0 | |
| Source: | Code function: | 0_2_00DA5210 | |
| Source: | Code function: | 0_2_00D89390 | |
| Source: | Code function: | 0_2_00D874E0 | |
| Source: | Code function: | 0_2_00DA3400 | |
| Source: | Code function: | 0_2_00DBB7C0 | |
| Source: | Code function: | 0_2_00DBB7C0 | |
| Source: | Code function: | 0_2_00D8B909 | |
| Source: | Code function: | 0_2_00DBFEE0 | |
| Source: | Code function: | 0_2_00DA5E00 | |
| Source: | Code function: | 0_2_00DA5E00 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_037F1000 | |
| Source: | Code function: | 0_2_037F1000 | |
| Source: | Code function: | 0_2_037F1000 | |
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00E2B6B8 | |
| Source: | Code function: | 0_2_00E2B650 | |
| Source: | Code function: | 0_2_00E2B634 | |
| Source: | Code function: | 0_2_00E2B7F0 | |
| Source: | Code function: | 0_2_00E2B710 | |
| Source: | Code function: | 0_2_00E2BBD0 | |
| Source: | Code function: | 0_2_00E2ABE4 | |
| Source: | Code function: | 0_2_00E2ABB0 | |
| Source: | Code function: | 0_2_00E2AB50 | |
| Source: | Code function: | 0_2_00E2ACF8 | |
| Source: | Code function: | 0_2_00E2ACA0 | |
| Source: | Code function: | 0_2_00E2AC50 | |
| Source: | Code function: | 0_2_00E2ADE0 | |
| Source: | Code function: | 0_2_00E2AD8C | |
| Source: | Code function: | 0_2_00E2AD60 | |
| Source: | Code function: | 0_2_00E2AE6C | |
| Source: | Code function: | 0_2_00E2AE14 | |
| Source: | Code function: | 0_2_00E2AFE8 | |
| Source: | Code function: | 0_2_00E2AFB4 | |
| Source: | Code function: | 0_2_00E2AF74 | |
| Source: | Code function: | 0_2_00E2AF54 | |
| Source: | Code function: | 0_2_00E2AF04 | |
| Source: | Code function: | 0_2_00E2B0B0 | |
| Source: | Code function: | 0_2_00E2B070 | |
| Source: | Code function: | 0_2_00E2B028 | |
| Source: | Code function: | 0_2_00E2B1E0 | |
| Source: | Code function: | 0_2_00E2B180 | |
| Source: | Code function: | 0_2_00E2B2E0 | |
| Source: | Code function: | 0_2_00E2B2C4 | |
| Source: | Code function: | 0_2_00E2B27C | |
| Source: | Code function: | 0_2_00E2B3F4 | |
| Source: | Code function: | 0_2_00E2B36C | |
| Source: | Code function: | 0_2_00E2B338 | |
| Source: | Code function: | 0_2_00E2B4EC | |
| Source: | Code function: | 0_2_00E2B48C | |
| Source: | Code function: | 0_2_00E2B43C | |
| Source: | Code function: | 0_2_00E2B5EC | |
| Source: | Code function: | 0_2_00E2B58C | |
| Source: | Code function: | 0_2_00E2B558 | |
| Source: | Code function: | 0_2_00E2B53C | |
| Source: | Code function: | 0_2_00E2B684 | |
| Source: | Code function: | 0_2_00E2B778 | |
| Source: | Code function: | 0_2_00E89CA4 | |
| Source: | Code function: | 0_2_00D9062F | |
| Source: | Code function: | 0_2_00D88790 | |
| Source: | Code function: | 0_2_00D8AC50 | |
| Source: | Code function: | 0_2_00DA0D80 | |
| Source: | Code function: | 0_2_00DBED50 | |
| Source: | Code function: | 0_2_00D95050 | |
| Source: | Code function: | 0_2_00DBB150 | |
| Source: | Code function: | 0_2_00D8D3E9 | |
| Source: | Code function: | 0_2_00DBF670 | |
| Source: | Code function: | 0_2_00DA5A60 | |
| Source: | Code function: | 0_2_00DB7BA0 | |
| Source: | Code function: | 0_2_00D91CE0 | |
| Source: | Code function: | 0_2_00EE2048 | |
| Source: | Code function: | 0_2_00EDA05C | |
| Source: | Code function: | 0_2_00EDE01C | |
| Source: | Code function: | 0_2_00ED813C | |
| Source: | Code function: | 0_2_00D86270 | |
| Source: | Code function: | 0_2_00D84260 | |
| Source: | Code function: | 0_2_00D943D0 | |
| Source: | Code function: | 0_2_00D88320 | |
| Source: | Code function: | 0_2_00EA4498 | |
| Source: | Code function: | 0_2_00DBE5B0 | |
| Source: | Code function: | 0_2_00DBE640 | |
| Source: | Code function: | 0_2_00D86700 | |
| Source: | Code function: | 0_2_00E1E97C | |
| Source: | Code function: | 0_2_00EC4958 | |
| Source: | Code function: | 0_2_00E86AC8 | |
| Source: | Code function: | 0_2_00EA8AC8 | |
| Source: | Code function: | 0_2_00D8EAA0 | |
| Source: | Code function: | 0_2_00EACA18 | |
| Source: | Code function: | 0_2_00D84B90 | |
| Source: | Code function: | 0_2_00D9ECF0 | |
| Source: | Code function: | 0_2_00E66C28 | |
| Source: | Code function: | 0_2_00E86D94 | |
| Source: | Code function: | 0_2_00DA2D70 | |
| Source: | Code function: | 0_2_00D82E90 | |
| Source: | Code function: | 0_2_00EB0EB0 | |
| Source: | Code function: | 0_2_00EC4E80 | |
| Source: | Code function: | 0_2_00EACF48 | |
| Source: | Code function: | 0_2_00D9CF70 | |
| Source: | Code function: | 0_2_00F3EF40 | |
| Source: | Code function: | 0_2_00E86F24 | |
| Source: | Code function: | 0_2_00D8B0C0 | |
| Source: | Code function: | 0_2_00D890B0 | |
| Source: | Code function: | 0_2_00DBF050 | |
| Source: | Code function: | 0_2_00DAD1C0 | |
| Source: | Code function: | 0_2_00D91196 | |
| Source: | Code function: | 0_2_00DB72D0 | |
| Source: | Code function: | 0_2_00D9D250 | |
| Source: | Code function: | 0_2_00E89264 | |
| Source: | Code function: | 0_2_00DA5210 | |
| Source: | Code function: | 0_2_00D89390 | |
| Source: | Code function: | 0_2_00D874E0 | |
| Source: | Code function: | 0_2_00D8B49D | |
| Source: | Code function: | 0_2_00ED1434 | |
| Source: | Code function: | 0_2_00DA3400 | |
| Source: | Code function: | 0_2_00DA36B0 | |
| Source: | Code function: | 0_2_00E89600 | |
| Source: | Code function: | 0_2_00D897D0 | |
| Source: | Code function: | 0_2_00EDB8C4 | |
| Source: | Code function: | 0_2_00D838B0 | |
| Source: | Code function: | 0_2_00D858B0 | |
| Source: | Code function: | 0_2_00DBB860 | |
| Source: | Code function: | 0_2_00E5782C | |
| Source: | Code function: | 0_2_00ED780C | |
| Source: | Code function: | 0_2_00D8991A | |
| Source: | Code function: | 0_2_00D8B909 | |
| Source: | Code function: | 0_2_00E89A40 | |
| Source: | Code function: | 0_2_00EA9A04 | |
| Source: | Code function: | 0_2_00D9DA20 | |
| Source: | Code function: | 0_2_00E3BBB0 | |
| Source: | Code function: | 0_2_00D8DC62 | |
| Source: | Code function: | 0_2_00EE3C38 | |
| Source: | Code function: | 0_2_00E45C0C | |
| Source: | Code function: | 0_2_00EDDD68 | |
| Source: | Code function: | 0_2_00D85ED0 | |
| Source: | Code function: | 0_2_00ECFE4C | |
| Source: | Code function: | 0_2_00DA5E00 | |
| Source: | Code function: | 0_2_00E13FF0 | |
| Source: | Code function: | 0_2_00EBDFF0 | |
| Source: | Code function: | 0_2_034958C9 | |
| Source: | Code function: | 0_2_0349588A | |
| Source: | Code function: | 0_2_03495899 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00E78A49 | |
| Source: | Code function: | 0_2_00EC410C | |
| Source: | Code function: | 0_2_00EAA19E | |
| Source: | Code function: | 0_2_00E960F4 | |
| Source: | Code function: | 0_2_00F3E123 | |
| Source: | Code function: | 0_2_00DFE0C3 | |
| Source: | Code function: | 0_2_00EC40BC | |
| Source: | Code function: | 0_2_00E2A13D | |
| Source: | Code function: | 0_2_00E9A094 | |
| Source: | Code function: | 0_2_00E3A0C9 | |
| Source: | Code function: | 0_2_00F3E208 | |
| Source: | Code function: | 0_2_00E2A220 | |
| Source: | Code function: | 0_2_00E2A1E8 | |
| Source: | Code function: | 0_2_00E801D8 | |
| Source: | Code function: | 0_2_00F3E1D0 | |
| Source: | Code function: | 0_2_00E861B0 | |
| Source: | Code function: | 0_2_00EA81A4 | |
| Source: | Code function: | 0_2_00E6E194 | |
| Source: | Code function: | 0_2_00E2A188 | |
| Source: | Code function: | 0_2_00F3E198 | |
| Source: | Code function: | 0_2_00EA816C | |
| Source: | Code function: | 0_2_00F3E160 | |
| Source: | Code function: | 0_2_00DF2109 | |
| Source: | Code function: | 0_2_00EA8134 | |
| Source: | Code function: | 0_2_00EA4138 | |
| Source: | Code function: | 0_2_00F3E320 | |
| Source: | Code function: | 0_2_00E2A2F0 | |
| Source: | Code function: | 0_2_00E042F4 | |
| Source: | Code function: | 0_2_00F3E2E8 | |
| Source: | Code function: | 0_2_00E042C5 | |
| Source: | Code function: | 0_2_00E2C2EC | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00E03490 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_00DBCCA0 | |
| Source: | Code function: | 0_2_03498024 | |
| Source: | Code function: | 0_2_03497E70 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00E88268 | |
| Source: | Code function: | 0_2_00F3A208 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00DE2958 | |
| Source: | Code function: | 0_2_00E29CC0 | |
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 2 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 4 Obfuscated Files or Information | Security Account Manager | 321 Security Software Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 12 Software Packing | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 11 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 42 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 76% | Virustotal | Browse | ||
| 79% | ReversingLabs | Win32.Exploit.LummaC | ||
| 100% | Avira | HEUR/AGEN.1314134 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| impossiblekdo.click | 188.114.97.3 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.97.3 | impossiblekdo.click | European Union | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1584669 |
| Start date and time: | 2025-01-06 07:43:08 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 29s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | un30brGAKP.exerenamed because original name is a hash value |
| Original Sample Name: | 36db2173d6f06d276b72ea725d9a81ac.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 01:43:59 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.97.3 | Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| impossiblekdo.click | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | XWorm | Browse |
| |
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.991550859737239 |
| TrID: |
|
| File name: | un30brGAKP.exe |
| File size: | 1'283'584 bytes |
| MD5: | 36db2173d6f06d276b72ea725d9a81ac |
| SHA1: | ac1d252fe08dee826c9bc789cabae47635b3e9b0 |
| SHA256: | c436b9f7bc178e51eb1380a5affa9c1ce0acf980a9cf7a193a36edef132e5c00 |
| SHA512: | 0527251c68fb495a8c4e1176346642cc918b4bb8e401d01ed7dc47229e0f7c57b6a5d0cf8da430c8f0da39fa883861438891cdb7d16ccee9179483e9f603bede |
| SSDEEP: | 24576:ZXNGqNrNuq30sbRany6ZZfZ6Zcl1xWxfwafwudgv:ZPuqJRan/ZRT1Uxfwa4v |
| TLSH: | A755334307474266FCABE9BA27336B30EE630ECB8A5129C159DE419F047A15AF187DE4 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...f.pg..........................................@...........................;...........@................................. P-.... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x41ca96 |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67701566 [Sat Dec 28 15:12:38 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 71cc5af9daad65e58c6f29c42cdf9201 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 00401000h |
| call 00007FEEB4BA9FF6h |
| call far 5DE5h : 8B10C483h |
| jmp 00007FEEB4F469F7h |
| push edx |
| mov ch, ah |
| jmp 00007FEE9AD67106h |
| xchg eax, esp |
| popfd |
| mov ecx, CFC4B114h |
| mov al, 42h |
| mov byte ptr [998E7C48h], al |
| push esi |
| or eax, 7412F012h |
| lds ecx, fword ptr [edx+47h] |
| mov ah, E0h |
| je 00007FEEB4BA9F80h |
| push 00000040h |
| and byte ptr [eax-0612CC45h], dl |
| dec dh |
| insb |
| mov bh, 94h |
| dec ebp |
| fbld [eax+7Ch] |
| cld |
| lds edx, fword ptr [ebp-2EA2E5CDh] |
| inc ebp |
| mov al, dh |
| aad 36h |
| add dh, byte ptr [edi-59B1A18Bh] |
| pushfd |
| mov ebx, F3FA1411h |
| push esp |
| mov edx, C8C6B955h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2d5020 | 0x214 | .data |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2d5000 | 0xc | .data |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| 0x1000 | 0x40000 | 0x21c00 | 8c97ce45160fcc76700f6610999c526c | False | 0.9986906828703703 | data | 7.997961619008951 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x41000 | 0x3000 | 0xe00 | cb1310a563246109d72cfa67fe8374ef | False | 0.9773995535714286 | data | 7.843220250000753 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x44000 | 0xe000 | 0x3200 | a44846c0a00bc5a0d0dc324c1c030ac3 | False | 0.9784375 | data | 7.935638020902636 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x52000 | 0x4000 | 0x2200 | cf5828acbf9c7f91fb74ea8b7052ea20 | False | 0.9983915441176471 | data | 7.975431034755942 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x56000 | 0x27f000 | 0x2ba00 | 50101963b6107eb0795d88fbd7c357d3 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| .data | 0x2d5000 | 0xe6000 | 0xe5a00 | b6127f958fbde415882ecf0c94677dfb | False | 0.9972664755715841 | data | 7.985309646585309 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| kernel32.dll | GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA |
| user32.dll | MessageBoxA |
| advapi32.dll | RegCloseKey |
| oleaut32.dll | SysFreeString |
| gdi32.dll | CreateFontA |
| shell32.dll | ShellExecuteA |
| version.dll | GetFileVersionInfoA |
| ole32.dll | CoCreateInstance |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-06T07:43:59.799217+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:00.266309+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:00.266309+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:00.751157+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:01.249780+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:01.249780+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:02.122964+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:02.783191+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:03.372318+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:05.137175+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:06.687867+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:08.248651+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:08.252673+0100 | 2843864 | ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 | 1 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:10.852062+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| 2025-01-06T07:44:11.323779+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 6, 2025 07:43:59.307863951 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:43:59.307904005 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:43:59.308124065 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:43:59.311507940 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:43:59.311517954 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:43:59.798973083 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:43:59.799216986 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:43:59.802638054 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:43:59.802649021 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:43:59.802948952 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:43:59.845140934 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:43:59.850220919 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:43:59.850250959 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:43:59.850347042 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.266314030 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.266402006 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.266454935 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.268564939 CET | 49731 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.268588066 CET | 443 | 49731 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.276343107 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.276386976 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.276495934 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.276740074 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.276752949 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.751029015 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.751157045 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.784151077 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.784176111 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.784459114 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:00.786334991 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.786402941 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:00.786448002 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.249785900 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.249849081 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.249890089 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.249911070 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.249924898 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.249960899 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.249968052 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.250020027 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.250067949 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.250073910 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.250129938 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.250164986 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.250170946 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.250431061 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.250464916 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.250471115 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.250477076 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.250509024 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.254525900 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.298259020 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.340007067 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.340104103 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.340153933 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.340166092 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.340209961 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.340249062 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.474756956 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.474786997 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.474801064 CET | 49732 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.474807024 CET | 443 | 49732 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.655806065 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.655853987 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:01.655927896 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.656250954 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:01.656264067 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.122908115 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.122963905 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.124273062 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.124285936 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.124537945 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.125699997 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.125834942 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.125868082 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.125933886 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.125941038 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.783199072 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.783328056 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.783421993 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.783484936 CET | 49733 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.783505917 CET | 443 | 49733 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.910643101 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.910680056 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:02.910866022 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.911114931 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:02.911127090 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:03.372144938 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:03.372318029 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:03.374048948 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:03.374058962 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:03.374356985 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:03.375689030 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:03.375833988 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:03.375861883 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:04.195127010 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:04.195229053 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:04.195348024 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:04.195445061 CET | 49734 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:04.195461035 CET | 443 | 49734 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:04.680521011 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:04.680563927 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:04.680661917 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:04.681039095 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:04.681050062 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:05.137093067 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:05.137175083 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:05.138484001 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:05.138493061 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:05.138725996 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:05.140064955 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:05.140268087 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:05.140305042 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:05.140360117 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:05.140367031 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:05.782627106 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:05.782744884 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:05.782952070 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:05.783086061 CET | 49735 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:05.783104897 CET | 443 | 49735 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:06.194258928 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:06.194308043 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:06.194370031 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:06.194652081 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:06.194667101 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:06.687752962 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:06.687866926 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:06.689044952 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:06.689055920 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:06.689294100 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:06.690362930 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:06.690443039 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:06.690447092 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:07.151387930 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:07.151494980 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:07.151567936 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:07.151773930 CET | 49736 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:07.151793003 CET | 443 | 49736 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:07.793554068 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:07.793608904 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:07.793689966 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:07.793979883 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:07.793993950 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.248528004 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.248651028 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.249811888 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.249824047 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.250067949 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.251303911 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.252161980 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.252197981 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.252299070 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.252334118 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.252464056 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.252484083 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.252618074 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.252638102 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.252784014 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.252804041 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.252986908 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.253006935 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.253015995 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.253180027 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.253201962 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.262191057 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.262360096 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.262382984 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.262406111 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.262423038 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.262429953 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.262439966 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.262545109 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.262581110 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.262614965 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.267067909 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:08.267168999 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:08.267182112 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.358982086 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.359091043 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.359157085 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.359236956 CET | 49737 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.359255075 CET | 443 | 49737 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.368299961 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.368350983 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.368436098 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.368709087 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.368721008 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.851986885 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.852061987 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.853255987 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.853270054 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.853509903 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:10.854568958 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.854587078 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:10.854636908 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.323781967 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.323849916 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.323883057 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.323904037 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.323926926 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.323966026 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.323967934 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.323977947 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.324024916 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.324031115 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.324373007 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.324440956 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.324445963 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.328418016 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.328459024 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.328484058 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.328490019 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.328532934 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.328536987 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.328564882 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.328598022 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.328711033 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.328725100 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Jan 6, 2025 07:44:11.328754902 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Jan 6, 2025 07:44:11.328759909 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 6, 2025 07:43:59.288466930 CET | 65253 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 6, 2025 07:43:59.302201033 CET | 53 | 65253 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 6, 2025 07:43:59.288466930 CET | 192.168.2.4 | 1.1.1.1 | 0x3cce | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 6, 2025 07:43:59.302201033 CET | 1.1.1.1 | 192.168.2.4 | 0x3cce | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Jan 6, 2025 07:43:59.302201033 CET | 1.1.1.1 | 192.168.2.4 | 0x3cce | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49731 | 188.114.97.3 | 443 | 6868 | C:\Users\user\Desktop\un30brGAKP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-06 06:43:59 UTC | 266 | OUT | |
| 2025-01-06 06:43:59 UTC | 8 | OUT | |
| 2025-01-06 06:44:00 UTC | 1127 | IN | |
| 2025-01-06 06:44:00 UTC | 7 | IN | |
| 2025-01-06 06:44:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49732 | 188.114.97.3 | 443 | 6868 | C:\Users\user\Desktop\un30brGAKP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-06 06:44:00 UTC | 267 | OUT | |
| 2025-01-06 06:44:00 UTC | 54 | OUT | |
| 2025-01-06 06:44:01 UTC | 1129 | IN | |
| 2025-01-06 06:44:01 UTC | 240 | IN | |
| 2025-01-06 06:44:01 UTC | 1369 | IN | |
| 2025-01-06 06:44:01 UTC | 1369 | IN | |
| 2025-01-06 06:44:01 UTC | 1369 | IN | |
| 2025-01-06 06:44:01 UTC | 931 | IN | |
| 2025-01-06 06:44:01 UTC | 1369 | IN | |
| 2025-01-06 06:44:01 UTC | 1369 | IN | |
| 2025-01-06 06:44:01 UTC | 1369 | IN | |
| 2025-01-06 06:44:01 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49733 | 188.114.97.3 | 443 | 6868 | C:\Users\user\Desktop\un30brGAKP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-06 06:44:02 UTC | 275 | OUT | |
| 2025-01-06 06:44:02 UTC | 15331 | OUT | |
| 2025-01-06 06:44:02 UTC | 2779 | OUT | |
| 2025-01-06 06:44:02 UTC | 1125 | IN | |
| 2025-01-06 06:44:02 UTC | 20 | IN | |
| 2025-01-06 06:44:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49734 | 188.114.97.3 | 443 | 6868 | C:\Users\user\Desktop\un30brGAKP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-06 06:44:03 UTC | 277 | OUT | |
| 2025-01-06 06:44:03 UTC | 8749 | OUT | |
| 2025-01-06 06:44:04 UTC | 1123 | IN | |
| 2025-01-06 06:44:04 UTC | 20 | IN | |
| 2025-01-06 06:44:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49735 | 188.114.97.3 | 443 | 6868 | C:\Users\user\Desktop\un30brGAKP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-06 06:44:05 UTC | 280 | OUT | |
| 2025-01-06 06:44:05 UTC | 15331 | OUT | |
| 2025-01-06 06:44:05 UTC | 5083 | OUT | |
| 2025-01-06 06:44:05 UTC | 1139 | IN | |
| 2025-01-06 06:44:05 UTC | 20 | IN | |
| 2025-01-06 06:44:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49736 | 188.114.97.3 | 443 | 6868 | C:\Users\user\Desktop\un30brGAKP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-06 06:44:06 UTC | 281 | OUT | |
| 2025-01-06 06:44:06 UTC | 1237 | OUT | |
| 2025-01-06 06:44:07 UTC | 1132 | IN | |
| 2025-01-06 06:44:07 UTC | 20 | IN | |
| 2025-01-06 06:44:07 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49737 | 188.114.97.3 | 443 | 6868 | C:\Users\user\Desktop\un30brGAKP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-06 06:44:08 UTC | 277 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:08 UTC | 15331 | OUT | |
| 2025-01-06 06:44:10 UTC | 1133 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | 6868 | C:\Users\user\Desktop\un30brGAKP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-06 06:44:10 UTC | 267 | OUT | |
| 2025-01-06 06:44:10 UTC | 89 | OUT | |
| 2025-01-06 06:44:11 UTC | 1127 | IN | |
| 2025-01-06 06:44:11 UTC | 242 | IN | |
| 2025-01-06 06:44:11 UTC | 1369 | IN | |
| 2025-01-06 06:44:11 UTC | 1369 | IN | |
| 2025-01-06 06:44:11 UTC | 1369 | IN | |
| 2025-01-06 06:44:11 UTC | 1369 | IN | |
| 2025-01-06 06:44:11 UTC | 1369 | IN | |
| 2025-01-06 06:44:11 UTC | 1369 | IN | |
| 2025-01-06 06:44:11 UTC | 1369 | IN | |
| 2025-01-06 06:44:11 UTC | 1369 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 01:43:57 |
| Start date: | 06/01/2025 |
| Path: | C:\Users\user\Desktop\un30brGAKP.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd80000 |
| File size: | 1'283'584 bytes |
| MD5 hash: | 36DB2173D6F06D276B72EA725D9A81AC |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 4.1% |
| Dynamic/Decrypted Code Coverage: | 9.5% |
| Signature Coverage: | 62.1% |
| Total number of Nodes: | 169 |
| Total number of Limit Nodes: | 9 |
Graph
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DA0D80 Relevance: 20.5, Strings: 16, Instructions: 531COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 037F1000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D95050 Relevance: 16.7, APIs: 1, Strings: 8, Instructions: 939encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8AC50 Relevance: 4.1, Strings: 3, Instructions: 369COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F3A208 Relevance: 3.9, Strings: 3, Instructions: 184COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D89D30 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2BBD0 Relevance: 3.8, Strings: 3, Instructions: 78COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DA5A60 Relevance: 2.8, Strings: 2, Instructions: 309COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8CFA8 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBCCA0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B634 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8D3E9 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E89CA4 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBEC20 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBF670 Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBED50 Relevance: .3, Instructions: 277COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D88790 Relevance: .2, Instructions: 231COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBB150 Relevance: .2, Instructions: 223COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBFFB0 Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E29CC0 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E03490 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DE2958 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B7F0 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8CD76 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBCC10 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8CF3D Relevance: 1.5, APIs: 1, Instructions: 37COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBB120 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBB100 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F43598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03498142 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03498180 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA4498 Relevance: 38.2, Strings: 30, Instructions: 740COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0349588A Relevance: 22.5, Strings: 15, Instructions: 3775COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 034958C9 Relevance: 22.3, Strings: 15, Instructions: 3578COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03495899 Relevance: 22.3, Strings: 15, Instructions: 3578COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DA5210 Relevance: 14.3, Strings: 11, Instructions: 528COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D89390 Relevance: 11.7, Strings: 9, Instructions: 425COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EDA05C Relevance: 6.9, Strings: 5, Instructions: 623COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00ECFE4C Relevance: 6.4, Strings: 5, Instructions: 179COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DA5E00 Relevance: 5.6, Strings: 4, Instructions: 590COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D897D0 Relevance: 5.4, Strings: 4, Instructions: 434COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8B0C0 Relevance: 5.2, Strings: 4, Instructions: 226COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D88320 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8EAA0 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D84B90 Relevance: 3.3, Strings: 2, Instructions: 800COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA9A04 Relevance: 2.9, Strings: 2, Instructions: 390COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8991A Relevance: 2.8, Strings: 2, Instructions: 330COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D84260 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EACA18 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D890B0 Relevance: 2.8, Strings: 2, Instructions: 301COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E45C0C Relevance: 2.2, Strings: 1, Instructions: 905COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBB860 Relevance: 2.0, Strings: 1, Instructions: 775COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00ED813C Relevance: 1.9, Strings: 1, Instructions: 681COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EB0EB0 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EDB8C4 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2ACF8 Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B180 Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B58C Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2ACA0 Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2AC50 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2AF04 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B028 Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B3F4 Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B5EC Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2AFE8 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2AF74 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B0B0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B070 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B1E0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2ABB0 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2ADE0 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2AFB4 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B338 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B558 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2AD60 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B27C Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D85ED0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D9CF70 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2AF54 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B2C4 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E2B53C Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E13FF0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00ED1434 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC4958 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EACF48 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E89264 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E89600 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E89A40 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E88268 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8A6AA Relevance: 1.3, Strings: 1, Instructions: 28COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D82E90 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D86700 Relevance: .7, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D874E0 Relevance: .6, Instructions: 627COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EE3C38 Relevance: .6, Instructions: 620COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D943D0 Relevance: .6, Instructions: 608COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D838B0 Relevance: .6, Instructions: 600COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DAD1C0 Relevance: .6, Instructions: 582COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D9ECF0 Relevance: .6, Instructions: 577COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D858B0 Relevance: .5, Instructions: 539COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EA8AC8 Relevance: .5, Instructions: 521COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBE640 Relevance: .4, Instructions: 446COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBE5B0 Relevance: .4, Instructions: 425COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E66C28 Relevance: .4, Instructions: 405COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D9D250 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00F3EF40 Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EBDFF0 Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D86270 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8B49D Relevance: .3, Instructions: 296COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DB72D0 Relevance: .3, Instructions: 295COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EC4E80 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5782C Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBF050 Relevance: .3, Instructions: 262COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E1E97C Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8B909 Relevance: .3, Instructions: 256COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00ED780C Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EDE01C Relevance: .2, Instructions: 222COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E3BBB0 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EDDD68 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D9DA20 Relevance: .2, Instructions: 184COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E86AC8 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8DC62 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00EE2048 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DA36B0 Relevance: .2, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DC0130 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E86D94 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E86F24 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBFEE0 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03498024 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00DBB7C0 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 03497E70 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00D8A2B5 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|