Edit tour
Windows
Analysis Report
FILHKLtCw0.exe
Overview
General Information
| Sample name: | FILHKLtCw0.exerenamed because original name is a hash value |
| Original sample name: | 12ba9e377bd0dd9470038a28d9c076d28bd8e4bc9c419148a7ae4c20b7a831ba.exe |
| Analysis ID: | 1587996 |
| MD5: | a2c795a981ddc798d11ec6e3ade42301 |
| SHA1: | e650b31efaf33eaf34f92fea24e56d130d91a1f9 |
| SHA256: | 12ba9e377bd0dd9470038a28d9c076d28bd8e4bc9c419148a7ae4c20b7a831ba |
| Tags: | exeGuLoaderuser-adrian__luca |
| Infos: |  |
 | |
Detection
GuLoader, MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
FILHKLtCw0.exe (PID: 2920 cmdline: "C:\Users\ user\Deskt op\FILHKLt Cw0.exe" MD5: A2C795A981DDC798D11EC6E3ADE42301) - FILHKLtCw0.exe (PID: 5852 cmdline:
"C:\Users\ user\Deskt op\FILHKLt Cw0.exe" MD5: A2C795A981DDC798D11EC6E3ADE42301)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"C2 url": "https://api.telegram.org/bot7782841068:AAEc-nCmeaG2WG8noQ4QtMz2nBxG0zDBxvA/sendMessage"}{"EXfil Mode": "Telegram", "Telegram Token": "7782841068:AAEc-nCmeaG2WG8noQ4QtMz2nBxG0zDBxvA", "Telegram Chatid": "1934716051"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| Click to see the 2 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T20:24:10.630821+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 59244 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:14.585687+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 59246 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:17.898382+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 59248 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:19.416338+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 59250 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:21.746582+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 59252 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:23.224034+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 59254 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:24.812890+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 59256 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:26.278739+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 59258 | 149.154.167.220 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T20:24:02.515912+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.5 | 59242 | 193.122.6.168 | 80 | TCP |
| 2025-01-10T20:24:09.781628+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.5 | 59242 | 193.122.6.168 | 80 | TCP |
| 2025-01-10T20:24:13.719098+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.5 | 59245 | 193.122.6.168 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T20:23:56.219592+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.5 | 59240 | 142.250.181.238 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T20:24:10.431548+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.5 | 59244 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:14.333494+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.5 | 59246 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:17.723033+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.5 | 59248 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:19.237869+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.5 | 59250 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:21.560698+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.5 | 59252 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:23.044538+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.5 | 59254 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:24.566117+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.5 | 59256 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:26.101869+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.5 | 59258 | 149.154.167.220 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 4_2_3838D1EC | |
| Source: | Code function: | 4_2_3838D9D9 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00405846 | |
| Source: | Code function: | 0_2_004027FB | |
| Source: | Code function: | 0_2_00406398 | |
| Source: | Code function: | 4_2_00405846 | |
| Source: | Code function: | 4_2_004027FB | |
| Source: | Code function: | 4_2_00406398 | |
| Source: | Code function: | 4_2_383803B0 | |
| Source: | Code function: | 4_2_38380C28 | |
| Source: | Code function: | 4_2_3838C638 | |
| Source: | Code function: | 4_2_3838B07F | |
| Source: | Code function: | 4_2_3838F054 | |
| Source: | Code function: | 4_2_3838B930 | |
| Source: | Code function: | 4_2_3838C1F2 | |
| Source: | Code function: | 4_2_3838DA89 | |
| Source: | Code function: | 4_2_3838E339 | |
| Source: | Code function: | 4_2_3838EBF2 | |
| Source: | Code function: | 4_2_38380C1A | |
| Source: | Code function: | 4_2_3838B4D8 | |
| Source: | Code function: | 4_2_3838BD9C | |
| Source: | Code function: | 4_2_3838DEE1 | |
| Source: | Code function: | 4_2_38380F6F | |
| Source: | Code function: | 4_2_3838E790 | |
| Source: | Code function: | 4_2_38EDBDF0 | |
| Source: | Code function: | 4_2_38ED8650 | |
| Source: | Code function: | 4_2_38ED8650 | |
| Source: | Code function: | 4_2_38ED7070 | |
| Source: | Code function: | 4_2_38ED1858 | |
| Source: | Code function: | 4_2_38ED4820 | |
| Source: | Code function: | 4_2_38ED29B8 | |
| Source: | Code function: | 4_2_38ED8193 | |
| Source: | Code function: | 4_2_38EDC92F | |
| Source: | Code function: | 4_2_38ED2108 | |
| Source: | Code function: | 4_2_38ED5AB8 | |
| Source: | Code function: | 4_2_38ED3268 | |
| Source: | Code function: | 4_2_38ED5208 | |
| Source: | Code function: | 4_2_38EDCBE7 | |
| Source: | Code function: | 4_2_38ED43C8 | |
| Source: | Code function: | 4_2_38ED6368 | |
| Source: | Code function: | 4_2_38ED8373 | |
| Source: | Code function: | 4_2_38ED7B4F | |
| Source: | Code function: | 4_2_38ED3B18 | |
| Source: | Code function: | 4_2_38ED74C8 | |
| Source: | Code function: | 4_2_38ED1CB0 | |
| Source: | Code function: | 4_2_38ED1400 | |
| Source: | Code function: | 4_2_38ED6C18 | |
| Source: | Code function: | 4_2_38ED4DB0 | |
| Source: | Code function: | 4_2_38ED2560 | |
| Source: | Code function: | 4_2_38ED36C0 | |
| Source: | Code function: | 4_2_38ED5660 | |
| Source: | Code function: | 4_2_38ED2E10 | |
| Source: | Code function: | 4_2_38ED67C0 | |
| Source: | Code function: | 4_2_38ED0FA8 | |
| Source: | Code function: | 4_2_38ED3F70 | |
| Source: | Code function: | 4_2_38ED5F10 | |
| Source: | Code function: | 4_2_3940E870 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004052F3 | |
| Source: | Code function: | 0_2_004032A0 | |
| Source: | Code function: | 4_2_004032A0 | |
| Source: | Code function: | 0_2_00404B30 | |
| Source: | Code function: | 0_2_00407041 | |
| Source: | Code function: | 0_2_0040686A | |
| Source: | Code function: | 4_2_00407041 | |
| Source: | Code function: | 4_2_0040686A | |
| Source: | Code function: | 4_2_00404B30 | |
| Source: | Code function: | 4_2_00114328 | |
| Source: | Code function: | 4_2_00119048 | |
| Source: | Code function: | 4_2_00115968 | |
| Source: | Code function: | 4_2_00115F90 | |
| Source: | Code function: | 4_2_001127B9 | |
| Source: | Code function: | 4_2_00112DD1 | |
| Source: | Code function: | 4_2_38387848 | |
| Source: | Code function: | 4_2_38383318 | |
| Source: | Code function: | 4_2_383803B0 | |
| Source: | Code function: | 4_2_3838CCA0 | |
| Source: | Code function: | 4_2_3838C638 | |
| Source: | Code function: | 4_2_3838566E | |
| Source: | Code function: | 4_2_3838B07F | |
| Source: | Code function: | 4_2_3838F054 | |
| Source: | Code function: | 4_2_3838B930 | |
| Source: | Code function: | 4_2_3838C1F2 | |
| Source: | Code function: | 4_2_3838DA89 | |
| Source: | Code function: | 4_2_3838E339 | |
| Source: | Code function: | 4_2_3838E347 | |
| Source: | Code function: | 4_2_3838EBF2 | |
| Source: | Code function: | 4_2_3838CCA2 | |
| Source: | Code function: | 4_2_3838B4D8 | |
| Source: | Code function: | 4_2_3838BD9C | |
| Source: | Code function: | 4_2_38387E1E | |
| Source: | Code function: | 4_2_38386EA0 | |
| Source: | Code function: | 4_2_38386E91 | |
| Source: | Code function: | 4_2_3838DEE1 | |
| Source: | Code function: | 4_2_3838E79F | |
| Source: | Code function: | 4_2_3838E790 | |
| Source: | Code function: | 4_2_38EDA9B0 | |
| Source: | Code function: | 4_2_38EDBA8E | |
| Source: | Code function: | 4_2_38EDA360 | |
| Source: | Code function: | 4_2_38EDBDF0 | |
| Source: | Code function: | 4_2_38ED9D10 | |
| Source: | Code function: | 4_2_38ED96C8 | |
| Source: | Code function: | 4_2_38ED8650 | |
| Source: | Code function: | 4_2_38ED20F8 | |
| Source: | Code function: | 4_2_38ED7061 | |
| Source: | Code function: | 4_2_38ED7070 | |
| Source: | Code function: | 4_2_38ED0040 | |
| Source: | Code function: | 4_2_38ED1858 | |
| Source: | Code function: | 4_2_38ED4820 | |
| Source: | Code function: | 4_2_38ED4812 | |
| Source: | Code function: | 4_2_38ED51F8 | |
| Source: | Code function: | 4_2_38EDA9A0 | |
| Source: | Code function: | 4_2_38ED29B8 | |
| Source: | Code function: | 4_2_38EDF138 | |
| Source: | Code function: | 4_2_38ED2108 | |
| Source: | Code function: | 4_2_38ED5AA8 | |
| Source: | Code function: | 4_2_38ED5AB8 | |
| Source: | Code function: | 4_2_38EDBA97 | |
| Source: | Code function: | 4_2_38ED3268 | |
| Source: | Code function: | 4_2_38ED3258 | |
| Source: | Code function: | 4_2_38ED5208 | |
| Source: | Code function: | 4_2_38ED5207 | |
| Source: | Code function: | 4_2_38ED13F0 | |
| Source: | Code function: | 4_2_38ED43C8 | |
| Source: | Code function: | 4_2_38ED6368 | |
| Source: | Code function: | 4_2_38ED7B4F | |
| Source: | Code function: | 4_2_38ED6358 | |
| Source: | Code function: | 4_2_38EDA352 | |
| Source: | Code function: | 4_2_38ED3B08 | |
| Source: | Code function: | 4_2_38ED3B18 | |
| Source: | Code function: | 4_2_38ED74C8 | |
| Source: | Code function: | 4_2_38ED1CA0 | |
| Source: | Code function: | 4_2_38ED74B8 | |
| Source: | Code function: | 4_2_38ED1CB0 | |
| Source: | Code function: | 4_2_38ED6C09 | |
| Source: | Code function: | 4_2_38ED1400 | |
| Source: | Code function: | 4_2_38ED6C18 | |
| Source: | Code function: | 4_2_38ED4DB0 | |
| Source: | Code function: | 4_2_38ED4DB2 | |
| Source: | Code function: | 4_2_38ED2560 | |
| Source: | Code function: | 4_2_38ED255F | |
| Source: | Code function: | 4_2_38ED2550 | |
| Source: | Code function: | 4_2_38ED9D00 | |
| Source: | Code function: | 4_2_38ED36C0 | |
| Source: | Code function: | 4_2_38ED36C2 | |
| Source: | Code function: | 4_2_38ED0EB9 | |
| Source: | Code function: | 4_2_38ED96B8 | |
| Source: | Code function: | 4_2_38ED5660 | |
| Source: | Code function: | 4_2_38ED8640 | |
| Source: | Code function: | 4_2_38ED5650 | |
| Source: | Code function: | 4_2_38ED2E00 | |
| Source: | Code function: | 4_2_38ED2E10 | |
| Source: | Code function: | 4_2_38EDAFE8 | |
| Source: | Code function: | 4_2_38EDAFF8 | |
| Source: | Code function: | 4_2_38EDAFF7 | |
| Source: | Code function: | 4_2_38ED67C0 | |
| Source: | Code function: | 4_2_38ED0FA8 | |
| Source: | Code function: | 4_2_38ED67B0 | |
| Source: | Code function: | 4_2_38ED3F70 | |
| Source: | Code function: | 4_2_38ED3F72 | |
| Source: | Code function: | 4_2_38ED5F10 | |
| Source: | Code function: | 4_2_3940E870 | |
| Source: | Code function: | 4_2_3940D6E8 | |
| Source: | Code function: | 4_2_394075E8 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004032A0 | |
| Source: | Code function: | 4_2_004032A0 | |
| Source: | Code function: | 0_2_004045B4 | |
| Source: | Code function: | 0_2_00402095 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Code function: | 0_2_10002E0E | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405846 | |
| Source: | Code function: | 0_2_004027FB | |
| Source: | Code function: | 0_2_00406398 | |
| Source: | Code function: | 4_2_00405846 | |
| Source: | Code function: | 4_2_004027FB | |
| Source: | Code function: | 4_2_00406398 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-3761 | ||
| Source: | API call chain: | graph_0-3941 | ||
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406077 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 1 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Email Collection | 1 Web Service | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 31 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 1 Data from Local System | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | 1 Clipboard Data | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | 215 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 3 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Trojan.Guloader | ||
| 75% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 142.250.181.238 | true | false | high | |
| drive.usercontent.google.com | 142.250.185.193 | true | false | high | |
| reallyfreegeoip.org | 104.21.64.1 | true | false | high | |
| api.telegram.org | 149.154.167.220 | true | false | high | |
| checkip.dyndns.com | 193.122.6.168 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 142.250.181.238 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 142.250.185.193 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
| 193.122.6.168 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false | |
| 104.21.64.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1587996 |
| Start date and time: | 2025-01-10 20:21:30 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 36s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | FILHKLtCw0.exerenamed because original name is a hash value |
| Original Sample Name: | 12ba9e377bd0dd9470038a28d9c076d28bd8e4bc9c419148a7ae4c20b7a831ba.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/8@5/5 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 14:24:08 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 149.154.167.220 | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse | |||
| 193.122.6.168 | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| reallyfreegeoip.org | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| api.telegram.org | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ORACLE-BMC-31898US | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| TELEGRAMRU | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsn582.tmp\System.dll | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Bufagin\wildwestfilm.sto
Download File
| Process: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 363811 |
| Entropy (8bit): | 1.2512349423386382 |
| Encrypted: | false |
| SSDEEP: | 768:y2f405GRYtnSLOBbyCociR2TVuEpHsVURGxwGmXjyMB+CtKDOgt9rlHF1QOs+9m5:pIuagbnK7CwVwFpYogwhUsvCq |
| MD5: | BFEA15C03AB295424981A73637A19491 |
| SHA1: | A5ADABDDC373D6B3004F96946D84B651E42D9F5C |
| SHA-256: | 83E9CE74259889DCABD39D41131F286882B224698DCDEB8D0B4074069AAA687B |
| SHA-512: | CB5969BFFAED8AF1791938E924E0CC9F876E45165F4E7EA5E9249131FACA831C0600F14BD68EF041D18C81A3FBE087970043D1B3B8A6786C1E5E5049834D4D0D |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Cleche.Kli
Download File
| Process: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 54682 |
| Entropy (8bit): | 4.600452681909532 |
| Encrypted: | false |
| SSDEEP: | 768:H/fkzniGiZdP67rzK21FpkUWPlLHv1AtVFWAelfx1WXVl8QO1WF:HE/fcU8BP4zWAIUXU6 |
| MD5: | 90B639DCC81998233C63FD5788661C84 |
| SHA1: | 33DA31F2E2D564717D235AE50988FB8431FB465F |
| SHA-256: | 139EF02E2E13F995BB0458A55C728723FF2C7CA481D6815494364ECEFA8C102C |
| SHA-512: | 88B9BE658E749B09336E98DA55C01462775E5574931F22000CC6AD10C0C6B9A9B1A8F1967C89F9BF5D3CF01097A3E90A8922825CEDF1DBF4DD965A3844641E3E |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Halvbroderens.Bou
Download File
| Process: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 322504 |
| Entropy (8bit): | 7.699061460387586 |
| Encrypted: | false |
| SSDEEP: | 6144:AgqFXi1RsVq1UDXwo/6uHXpUMLYITDlT6kAncw7qiq5Vo:ALXiYVqywrMftT6Xh |
| MD5: | 633B3B5C4D4A9C1704140BE89D1D74EF |
| SHA1: | 835A23926B61BB3B26CB4EA9DADF9B6526AC14F7 |
| SHA-256: | 72FB238B5E3597B29EA9766D2DC9EED47208540FDDD63B82AD445BBE7899C18D |
| SHA-512: | 69AE59004B0F9727CD476E25FD8B7555AC240857C56DB27CE616F016367BAE22616C5C40F164896340D7C215560BC26E63B07F0D222B137A9ACBB0CE67D87D57 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Riprap43.gaw
Download File
| Process: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56641 |
| Entropy (8bit): | 1.2318917163845036 |
| Encrypted: | false |
| SSDEEP: | 384:vrBeaW6xu5Pd9GW0Zq+/HXF1qcGNMUd8phxiFQHOV7hpvZlq:t9+Pdop/306xixrlq |
| MD5: | 39C9A5F767D8C170B5CE38EA8D5734D4 |
| SHA1: | 4B4CA81EB3D093645B504004F62A269D4EACDECC |
| SHA-256: | 87A7017021050071DBE5726BF9AC505763CD923E2BDE93336CA0905802CD8D49 |
| SHA-512: | AE2D66B801251046FA4D3093391B916955B43BE75A954DD398583B1B8881A9F109F51F81D6E4FE759F83AC7B921FA89B02185013AFDE16D3C8EAB422BE89B4FF |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\forskansningens.txt
Download File
| Process: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 345 |
| Entropy (8bit): | 4.241929841155785 |
| Encrypted: | false |
| SSDEEP: | 6:dvkdMOL4xnuXGNQWjMIDw1luhPB46xAJX7sBJOdkmLA8gMfArpIXbgOwQWiQJEEC:dufExIoDe1lYnGJLsBQdtL6rpIrWQkJA |
| MD5: | AE69FE0F4D1E1115BC470031E661785C |
| SHA1: | 8D3799826FE457C61C1E8EE5E3071683A8125BC5 |
| SHA-256: | 6B18768503395C809263568D3A8858810404C2B7D49DC7CB6CE5F717F5D6C7DE |
| SHA-512: | 969C0DB048EAC4A9B447A0C0C463A7983F1B4091B6206E274B9D249F8311439B6C33F5AA1EDF9CD1AA27502DA49378D3E1B45F16909C55DF830E51684E9648BE |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\fyldebtten.soi
Download File
| Process: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 210366 |
| Entropy (8bit): | 1.240975322465592 |
| Encrypted: | false |
| SSDEEP: | 768:vBTwJOLxCIF0V6iLboHog6BQlsMqlN1R0pmGy30wbfq6+9GmlsNh34k0uJ/QohER:cJigyyDJnLH7zA |
| MD5: | AEF78D8D561E8802286A78AAC6C73ED6 |
| SHA1: | DDF5DA649482D0A553802827BB9F0EF64A7069E1 |
| SHA-256: | 45F24543C01C9A11CC2246A9B27569AF433EEF61C877A4E191B683315D3566BE |
| SHA-512: | 93D43C0CECADF8E1F507F8E58D2B4D92995D8F7ECF213A23559938B380033A6D0D80B0816A8D6603864F821F4FEDC988E0F79BE14C6892089178970E08DC4199 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.655335921632966 |
| Encrypted: | false |
| SSDEEP: | 192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9 |
| MD5: | EE260C45E97B62A5E42F17460D406068 |
| SHA1: | DF35F6300A03C4D3D3BD69752574426296B78695 |
| SHA-256: | E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27 |
| SHA-512: | A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1178 |
| Entropy (8bit): | 3.276421799437869 |
| Encrypted: | false |
| SSDEEP: | 12:8wl0+sXU1e/tz0/CSL6/cBnwgXl341DEDeG41DEDpQ1olfW+kjcmAaFW0CNfBf4U:8FvWLrFPjPCizZMFWjqy |
| MD5: | DF5140E59115FC4E34050475B8C00DCC |
| SHA1: | 4C1AD71F97C9285B44FF0C4EC07D26D89B3DA983 |
| SHA-256: | DA98616213F4AEB00FBDF816C5D2C3AAF4481B7194D97328CB7F1F95362B9152 |
| SHA-512: | CC8FB8E0DF850568E2CD301BBC8C7EC084BDB0C0E1836EA7F3F1F37770C0B21802E74DB47B717AB00FC8E49731365CD46481351450C66F822E8961C0B7692094 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.962958887068319 |
| TrID: |
|
| File name: | FILHKLtCw0.exe |
| File size: | 475'326 bytes |
| MD5: | a2c795a981ddc798d11ec6e3ade42301 |
| SHA1: | e650b31efaf33eaf34f92fea24e56d130d91a1f9 |
| SHA256: | 12ba9e377bd0dd9470038a28d9c076d28bd8e4bc9c419148a7ae4c20b7a831ba |
| SHA512: | cd32d017a2953f3a9469a1f1d755b00a7a9fe3e41189097e75d3afebc575a10af41ad80cdda164da7563a2a88ccb9ce28851edaea4b14989f584996b464916e1 |
| SSDEEP: | 12288:I5AsEOYEZGb7d790c5Y3mXxhseRb4C7RMbqgIsgRwu7Jj1JK8s5FEeKH:ZYY103oxhJb4s4IsgRwu7Jj1Jiceu |
| TLSH: | D9A423802661C193E4A35F390C62AFF73AFBF31158186F5792989E842DB37C2C97B255 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L......V.................d......... |
 | |
| Icon Hash: | 3d2e0f95332b3399 |
| Entrypoint: | 0x4032a0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x567F847F [Sun Dec 27 06:26:07 2015 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d4b94e8ee3f620a89d114b9da4b31873 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebp |
| push esi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+0Ch], ebp |
| push 00008001h |
| mov dword ptr [esp+0Ch], 0040A300h |
| mov dword ptr [esp+18h], ebp |
| call dword ptr [004080B0h] |
| call dword ptr [004080ACh] |
| cmp ax, 00000006h |
| je 00007F6C68BA3023h |
| push ebp |
| call 00007F6C68BA6166h |
| cmp eax, ebp |
| je 00007F6C68BA3019h |
| push 00000C00h |
| call eax |
| push ebx |
| push edi |
| push 0040A2F4h |
| call 00007F6C68BA60E3h |
| push 0040A2ECh |
| call 00007F6C68BA60D9h |
| push 0040A2E0h |
| call 00007F6C68BA60CFh |
| push 00000009h |
| call 00007F6C68BA6134h |
| push 00000007h |
| call 00007F6C68BA612Dh |
| mov dword ptr [00434F04h], eax |
| call dword ptr [00408044h] |
| push ebp |
| call dword ptr [004082A8h] |
| mov dword ptr [00434FB8h], eax |
| push ebp |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebp |
| push 0042B228h |
| call dword ptr [0040818Ch] |
| push 0040A2C8h |
| push 00433F00h |
| call 00007F6C68BA5D1Ah |
| call dword ptr [004080A8h] |
| mov ebx, 0043F000h |
| push eax |
| push ebx |
| call 00007F6C68BA5D08h |
| push ebp |
| call dword ptr [00408178h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x85c8 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5d000 | 0x11e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x637c | 0x6400 | 83ff228d6dae8dd738eb2f78afbc793f | False | 0.672421875 | data | 6.491609540807675 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x147c | 0x1600 | d9f9b0b330e238260616b62a7a3cac09 | False | 0.42933238636363635 | data | 4.973928345594701 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x2aff8 | 0x600 | 3f2b05c8fbb8b2e4c9c89e93d30e7252 | False | 0.53125 | data | 4.133631086111171 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x35000 | 0x28000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x5d000 | 0x11e0 | 0x1200 | 20639f4e7c421f5379e2fb9ea4a1530d | False | 0.3684895833333333 | data | 4.485045860065118 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x5d268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x5d5d0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.42473118279569894 |
| RT_DIALOG | 0x5d8b8 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0x5da00 | 0x13c | data | English | United States | 0.5506329113924051 |
| RT_DIALOG | 0x5db40 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x5dc40 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x5dd60 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x5de28 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x5de88 | 0x14 | data | English | United States | 1.2 |
| RT_MANIFEST | 0x5dea0 | 0x33f | XML 1.0 document, ASCII text, with very long lines (831), with no line terminators | English | United States | 0.5547533092659447 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
| ADVAPI32.dll | RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T20:23:56.219592+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.5 | 59240 | 142.250.181.238 | 443 | TCP |
| 2025-01-10T20:24:02.515912+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.5 | 59242 | 193.122.6.168 | 80 | TCP |
| 2025-01-10T20:24:09.781628+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.5 | 59242 | 193.122.6.168 | 80 | TCP |
| 2025-01-10T20:24:10.431548+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.5 | 59244 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:10.630821+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.5 | 59244 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:13.719098+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.5 | 59245 | 193.122.6.168 | 80 | TCP |
| 2025-01-10T20:24:14.333494+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.5 | 59246 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:14.585687+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.5 | 59246 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:17.723033+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.5 | 59248 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:17.898382+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.5 | 59248 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:19.237869+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.5 | 59250 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:19.416338+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.5 | 59250 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:21.560698+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.5 | 59252 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:21.746582+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.5 | 59252 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:23.044538+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.5 | 59254 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:23.224034+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.5 | 59254 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:24.566117+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.5 | 59256 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:24.812890+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.5 | 59256 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:26.101869+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.5 | 59258 | 149.154.167.220 | 443 | TCP |
| 2025-01-10T20:24:26.278739+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.5 | 59258 | 149.154.167.220 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 20:22:40.250346899 CET | 54306 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:22:40.255198956 CET | 53 | 54306 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:22:40.255292892 CET | 54306 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:22:40.260320902 CET | 53 | 54306 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:22:40.710611105 CET | 58977 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:22:40.715306044 CET | 53 | 58977 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:22:40.715365887 CET | 58977 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:22:40.720146894 CET | 53 | 58977 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:22:40.743396997 CET | 54306 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:22:40.748337030 CET | 53 | 54306 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:22:40.748394012 CET | 54306 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:22:41.209573984 CET | 58977 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:22:41.214639902 CET | 53 | 58977 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:22:41.214685917 CET | 58977 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:23:55.173918962 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:55.173985004 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:55.174108982 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:55.184057951 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:55.184098959 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:55.838586092 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:55.838660002 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:55.839709997 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:55.839757919 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:55.904773951 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:55.904807091 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:55.905272961 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:55.905333042 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:55.908037901 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:55.951351881 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.219611883 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.219679117 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:56.219702959 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.219752073 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:56.219939947 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:56.219996929 CET | 443 | 59240 | 142.250.181.238 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.220050097 CET | 59240 | 443 | 192.168.2.5 | 142.250.181.238 |
| Jan 10, 2025 20:23:56.244821072 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:56.244882107 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.245287895 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:56.245287895 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:56.245336056 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.902614117 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.902699947 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:56.908066034 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:56.908097029 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.908467054 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.908910036 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:56.908910990 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:56.951333046 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.487927914 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.488101006 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.493681908 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.493837118 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.506139040 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.506284952 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.506303072 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.506509066 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.512394905 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.512474060 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.578528881 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.578587055 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.578618050 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.578633070 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.578649998 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.578687906 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.578687906 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.578795910 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.578802109 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.579030037 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.583412886 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.583471060 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.583483934 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.583762884 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.589607954 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.589687109 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.589693069 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.589817047 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.595913887 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.597527027 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.597541094 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.597584963 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.602121115 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.605528116 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.605535030 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.605657101 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.608438969 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.608494997 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.608508110 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.608658075 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.615168095 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.616230965 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.616239071 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.616311073 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.620523930 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.620731115 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.620738029 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.620799065 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.626468897 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.626676083 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.626682043 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.626739025 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.632313967 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.632385969 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.632395983 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.632518053 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.637983084 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.638153076 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.647156000 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.647267103 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.647273064 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.647327900 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.669192076 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.669266939 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.669274092 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.669287920 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.669363022 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.669476032 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.669523954 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.669528961 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.669553041 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.669580936 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.669593096 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.669593096 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.669599056 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.669644117 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.669644117 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.670250893 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.670309067 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.670314074 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.670357943 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.674413919 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.676620007 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.676625967 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.676695108 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.679825068 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.681528091 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.681535006 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.681623936 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.684881926 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.684987068 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.684992075 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.685113907 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.689889908 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.690031052 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.690043926 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.690085888 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.694550991 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.694622040 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.694629908 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.694802999 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.699170113 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.699893951 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.699899912 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.699982882 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.703855038 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.705496073 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.705509901 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.705565929 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.708477974 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.708558083 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.708570957 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.708606958 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.713262081 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.713352919 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.713366032 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.713433027 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.717900991 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.718450069 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.718456030 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.718532085 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.722201109 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.723297119 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.723301888 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.723356009 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.726381063 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.726460934 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.726547003 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.726548910 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.726598024 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.726635933 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.726650953 CET | 443 | 59241 | 142.250.185.193 | 192.168.2.5 |
| Jan 10, 2025 20:23:59.726675987 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:23:59.726700068 CET | 59241 | 443 | 192.168.2.5 | 142.250.185.193 |
| Jan 10, 2025 20:24:00.557044983 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:00.561924934 CET | 80 | 59242 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:00.562021971 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:00.562228918 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:00.567050934 CET | 80 | 59242 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:02.238684893 CET | 80 | 59242 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:02.243115902 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:02.248030901 CET | 80 | 59242 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:02.473367929 CET | 80 | 59242 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:02.515912056 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:02.734987020 CET | 59243 | 443 | 192.168.2.5 | 104.21.64.1 |
| Jan 10, 2025 20:24:02.735037088 CET | 443 | 59243 | 104.21.64.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:02.735106945 CET | 59243 | 443 | 192.168.2.5 | 104.21.64.1 |
| Jan 10, 2025 20:24:02.737792015 CET | 59243 | 443 | 192.168.2.5 | 104.21.64.1 |
| Jan 10, 2025 20:24:02.737816095 CET | 443 | 59243 | 104.21.64.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:03.232929945 CET | 443 | 59243 | 104.21.64.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:03.233095884 CET | 59243 | 443 | 192.168.2.5 | 104.21.64.1 |
| Jan 10, 2025 20:24:03.238859892 CET | 59243 | 443 | 192.168.2.5 | 104.21.64.1 |
| Jan 10, 2025 20:24:03.238874912 CET | 443 | 59243 | 104.21.64.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:03.239156008 CET | 443 | 59243 | 104.21.64.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:03.263513088 CET | 59243 | 443 | 192.168.2.5 | 104.21.64.1 |
| Jan 10, 2025 20:24:03.307379007 CET | 443 | 59243 | 104.21.64.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:03.383459091 CET | 443 | 59243 | 104.21.64.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:03.383521080 CET | 443 | 59243 | 104.21.64.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:03.383615017 CET | 59243 | 443 | 192.168.2.5 | 104.21.64.1 |
| Jan 10, 2025 20:24:03.499825954 CET | 59243 | 443 | 192.168.2.5 | 104.21.64.1 |
| Jan 10, 2025 20:24:09.527010918 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:09.531897068 CET | 80 | 59242 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:09.738154888 CET | 80 | 59242 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:09.750226974 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:09.750319004 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:09.750397921 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:09.750950098 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:09.750983953 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:09.781627893 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:10.381979942 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.382123947 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:10.384263992 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:10.384278059 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.384526014 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.385938883 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:10.431332111 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.431416988 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:10.431441069 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.630875111 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.630959034 CET | 443 | 59244 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.631192923 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:10.638375044 CET | 59244 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:10.891870022 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:10.893421888 CET | 59245 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:10.897100925 CET | 80 | 59242 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.897177935 CET | 59242 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:10.898282051 CET | 80 | 59245 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:10.898400068 CET | 59245 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:10.898528099 CET | 59245 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:10.903378010 CET | 80 | 59245 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:13.667979956 CET | 80 | 59245 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:13.669495106 CET | 59246 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:13.669595003 CET | 443 | 59246 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:13.669680119 CET | 59246 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:13.670345068 CET | 59246 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:13.670365095 CET | 443 | 59246 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:13.719098091 CET | 59245 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:14.331358910 CET | 443 | 59246 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:14.333154917 CET | 59246 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:14.333220005 CET | 443 | 59246 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:14.333302975 CET | 59246 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:14.333323956 CET | 443 | 59246 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:14.585752010 CET | 443 | 59246 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:14.585845947 CET | 443 | 59246 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:14.585911036 CET | 59246 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:14.593151093 CET | 59246 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:14.665525913 CET | 59247 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:14.670526981 CET | 80 | 59247 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:14.670610905 CET | 59247 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:14.680499077 CET | 59247 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:14.685285091 CET | 80 | 59247 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.055259943 CET | 80 | 59247 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.056659937 CET | 59248 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:17.056715965 CET | 443 | 59248 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.056859016 CET | 59248 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:17.057089090 CET | 59248 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:17.057115078 CET | 443 | 59248 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.109673023 CET | 59247 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:17.666660070 CET | 443 | 59248 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.719152927 CET | 59248 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:17.722853899 CET | 59248 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:17.722865105 CET | 443 | 59248 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.722995043 CET | 59248 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:17.723001003 CET | 443 | 59248 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.898411036 CET | 443 | 59248 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.898488998 CET | 443 | 59248 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.898627996 CET | 59248 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:17.903084993 CET | 59248 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:17.919135094 CET | 59247 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:17.924078941 CET | 80 | 59247 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.924186945 CET | 59247 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:17.953655958 CET | 59249 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:17.958435059 CET | 80 | 59249 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:17.958530903 CET | 59249 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:17.958719969 CET | 59249 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:17.963510990 CET | 80 | 59249 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:18.601851940 CET | 80 | 59249 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:18.603213072 CET | 59250 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:18.603260994 CET | 443 | 59250 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:18.603406906 CET | 59250 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:18.603634119 CET | 59250 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:18.603645086 CET | 443 | 59250 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:18.656646013 CET | 59249 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:19.235737085 CET | 443 | 59250 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:19.237515926 CET | 59250 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:19.237528086 CET | 443 | 59250 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:19.237586975 CET | 59250 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:19.237593889 CET | 443 | 59250 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:19.416161060 CET | 443 | 59250 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:19.416254044 CET | 443 | 59250 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:19.416311979 CET | 59250 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:19.416851044 CET | 59250 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:19.420331955 CET | 59249 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:19.421227932 CET | 59251 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:19.425364971 CET | 80 | 59249 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:19.425425053 CET | 59249 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:19.426022053 CET | 80 | 59251 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:19.426080942 CET | 59251 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:19.426176071 CET | 59251 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:19.430898905 CET | 80 | 59251 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:20.943557978 CET | 80 | 59251 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:20.944905996 CET | 59252 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:20.944941998 CET | 443 | 59252 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:20.945003986 CET | 59252 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:20.945369959 CET | 59252 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:20.945382118 CET | 443 | 59252 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:20.984673023 CET | 59251 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:21.558640957 CET | 443 | 59252 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:21.560440063 CET | 59252 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:21.560460091 CET | 443 | 59252 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:21.560519934 CET | 59252 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:21.560530901 CET | 443 | 59252 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:21.746572971 CET | 443 | 59252 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:21.746650934 CET | 443 | 59252 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:21.746725082 CET | 59252 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:21.747239113 CET | 59252 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:21.750993967 CET | 59251 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:21.752263069 CET | 59253 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:21.756077051 CET | 80 | 59251 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:21.756148100 CET | 59251 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:21.757092953 CET | 80 | 59253 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:21.757165909 CET | 59253 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:21.757296085 CET | 59253 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:21.762058020 CET | 80 | 59253 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:22.398592949 CET | 80 | 59253 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:22.399981022 CET | 59254 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:22.400048018 CET | 443 | 59254 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:22.400120974 CET | 59254 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:22.400408983 CET | 59254 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:22.400430918 CET | 443 | 59254 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:22.453470945 CET | 59253 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:23.028553009 CET | 443 | 59254 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.044106007 CET | 59254 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:23.044117928 CET | 443 | 59254 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.044162035 CET | 59254 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:23.044171095 CET | 443 | 59254 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.224107981 CET | 443 | 59254 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.224317074 CET | 443 | 59254 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.224402905 CET | 59254 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:23.226120949 CET | 59254 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:23.293311119 CET | 59253 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:23.296190023 CET | 59255 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:23.298713923 CET | 80 | 59253 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.298777103 CET | 59253 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:23.301103115 CET | 80 | 59255 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.301175117 CET | 59255 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:23.301420927 CET | 59255 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:23.306226015 CET | 80 | 59255 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.927546024 CET | 80 | 59255 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.929364920 CET | 59256 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:23.929416895 CET | 443 | 59256 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.929488897 CET | 59256 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:23.929933071 CET | 59256 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:23.929944992 CET | 443 | 59256 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:23.969058037 CET | 59255 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:24.562628031 CET | 443 | 59256 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:24.565634012 CET | 59256 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:24.565648079 CET | 443 | 59256 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:24.565711021 CET | 59256 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:24.565717936 CET | 443 | 59256 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:24.812788010 CET | 443 | 59256 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:24.812856913 CET | 443 | 59256 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:24.813585997 CET | 59256 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:24.816179037 CET | 59256 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:24.820483923 CET | 59255 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:24.821501970 CET | 59257 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:24.825454950 CET | 80 | 59255 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:24.825524092 CET | 59255 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:24.826370001 CET | 80 | 59257 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:24.826508999 CET | 59257 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:24.826559067 CET | 59257 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:24.831331015 CET | 80 | 59257 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:25.472788095 CET | 80 | 59257 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:25.474172115 CET | 59258 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:25.474210978 CET | 443 | 59258 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:25.474293947 CET | 59258 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:25.474608898 CET | 59258 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:25.474625111 CET | 443 | 59258 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:25.516109943 CET | 59257 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:26.099781990 CET | 443 | 59258 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:26.101670027 CET | 59258 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:26.101701021 CET | 443 | 59258 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:26.101783037 CET | 59258 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:26.101788998 CET | 443 | 59258 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:26.278769016 CET | 443 | 59258 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:26.278846025 CET | 443 | 59258 | 149.154.167.220 | 192.168.2.5 |
| Jan 10, 2025 20:24:26.278907061 CET | 59258 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:28.892443895 CET | 59258 | 443 | 192.168.2.5 | 149.154.167.220 |
| Jan 10, 2025 20:24:28.895052910 CET | 59257 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:28.895467997 CET | 59259 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:28.900197029 CET | 80 | 59257 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:28.900268078 CET | 59257 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:28.900352955 CET | 80 | 59259 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:28.900492907 CET | 59259 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:28.900492907 CET | 59259 | 80 | 192.168.2.5 | 193.122.6.168 |
| Jan 10, 2025 20:24:28.905325890 CET | 80 | 59259 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:29.556304932 CET | 80 | 59259 | 193.122.6.168 | 192.168.2.5 |
| Jan 10, 2025 20:24:29.609755039 CET | 59259 | 80 | 192.168.2.5 | 193.122.6.168 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 20:22:40.244961977 CET | 53 | 59815 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:22:40.709976912 CET | 53 | 53204 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:23:55.158039093 CET | 55457 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:23:55.164729118 CET | 53 | 55457 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:23:56.236675978 CET | 54151 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:23:56.243846893 CET | 53 | 54151 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:00.544954062 CET | 54817 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:24:00.551928043 CET | 53 | 54817 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:02.725830078 CET | 56352 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:24:02.733406067 CET | 53 | 56352 | 1.1.1.1 | 192.168.2.5 |
| Jan 10, 2025 20:24:09.742088079 CET | 54136 | 53 | 192.168.2.5 | 1.1.1.1 |
| Jan 10, 2025 20:24:09.749572992 CET | 53 | 54136 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 20:23:55.158039093 CET | 192.168.2.5 | 1.1.1.1 | 0xbe4a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 20:23:56.236675978 CET | 192.168.2.5 | 1.1.1.1 | 0xfbd6 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 20:24:00.544954062 CET | 192.168.2.5 | 1.1.1.1 | 0x9e4f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 20:24:02.725830078 CET | 192.168.2.5 | 1.1.1.1 | 0xdc86 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 20:24:09.742088079 CET | 192.168.2.5 | 1.1.1.1 | 0xd75f | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 20:23:55.164729118 CET | 1.1.1.1 | 192.168.2.5 | 0xbe4a | No error (0) | 142.250.181.238 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:23:56.243846893 CET | 1.1.1.1 | 192.168.2.5 | 0xfbd6 | No error (0) | 142.250.185.193 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:00.551928043 CET | 1.1.1.1 | 192.168.2.5 | 0x9e4f | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:00.551928043 CET | 1.1.1.1 | 192.168.2.5 | 0x9e4f | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:00.551928043 CET | 1.1.1.1 | 192.168.2.5 | 0x9e4f | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:00.551928043 CET | 1.1.1.1 | 192.168.2.5 | 0x9e4f | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:00.551928043 CET | 1.1.1.1 | 192.168.2.5 | 0x9e4f | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:00.551928043 CET | 1.1.1.1 | 192.168.2.5 | 0x9e4f | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:02.733406067 CET | 1.1.1.1 | 192.168.2.5 | 0xdc86 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:02.733406067 CET | 1.1.1.1 | 192.168.2.5 | 0xdc86 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:02.733406067 CET | 1.1.1.1 | 192.168.2.5 | 0xdc86 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:02.733406067 CET | 1.1.1.1 | 192.168.2.5 | 0xdc86 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:02.733406067 CET | 1.1.1.1 | 192.168.2.5 | 0xdc86 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:02.733406067 CET | 1.1.1.1 | 192.168.2.5 | 0xdc86 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:02.733406067 CET | 1.1.1.1 | 192.168.2.5 | 0xdc86 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 20:24:09.749572992 CET | 1.1.1.1 | 192.168.2.5 | 0xd75f | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 59242 | 193.122.6.168 | 80 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:00.562228918 CET | 151 | OUT | |
| Jan 10, 2025 20:24:02.238684893 CET | 273 | IN | |
| Jan 10, 2025 20:24:02.243115902 CET | 127 | OUT | |
| Jan 10, 2025 20:24:02.473367929 CET | 273 | IN | |
| Jan 10, 2025 20:24:09.527010918 CET | 127 | OUT | |
| Jan 10, 2025 20:24:09.738154888 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 59245 | 193.122.6.168 | 80 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:10.898528099 CET | 127 | OUT | |
| Jan 10, 2025 20:24:13.667979956 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 59247 | 193.122.6.168 | 80 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:14.680499077 CET | 151 | OUT | |
| Jan 10, 2025 20:24:17.055259943 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 59249 | 193.122.6.168 | 80 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:17.958719969 CET | 151 | OUT | |
| Jan 10, 2025 20:24:18.601851940 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 59251 | 193.122.6.168 | 80 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:19.426176071 CET | 151 | OUT | |
| Jan 10, 2025 20:24:20.943557978 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 59253 | 193.122.6.168 | 80 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:21.757296085 CET | 151 | OUT | |
| Jan 10, 2025 20:24:22.398592949 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 59255 | 193.122.6.168 | 80 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:23.301420927 CET | 151 | OUT | |
| Jan 10, 2025 20:24:23.927546024 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 59257 | 193.122.6.168 | 80 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:24.826559067 CET | 151 | OUT | |
| Jan 10, 2025 20:24:25.472788095 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 8 | 192.168.2.5 | 59259 | 193.122.6.168 | 80 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 10, 2025 20:24:28.900492907 CET | 151 | OUT | |
| Jan 10, 2025 20:24:29.556304932 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 59240 | 142.250.181.238 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:23:55 UTC | 216 | OUT | |
| 2025-01-10 19:23:56 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 59241 | 142.250.185.193 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:23:56 UTC | 258 | OUT | |
| 2025-01-10 19:23:59 UTC | 4940 | IN | |
| 2025-01-10 19:23:59 UTC | 4940 | IN | |
| 2025-01-10 19:23:59 UTC | 4818 | IN | |
| 2025-01-10 19:23:59 UTC | 1323 | IN | |
| 2025-01-10 19:23:59 UTC | 1390 | IN | |
| 2025-01-10 19:23:59 UTC | 1390 | IN | |
| 2025-01-10 19:23:59 UTC | 1390 | IN | |
| 2025-01-10 19:23:59 UTC | 1390 | IN | |
| 2025-01-10 19:23:59 UTC | 1390 | IN | |
| 2025-01-10 19:23:59 UTC | 1390 | IN | |
| 2025-01-10 19:23:59 UTC | 1390 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 59243 | 104.21.64.1 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:03 UTC | 85 | OUT | |
| 2025-01-10 19:24:03 UTC | 860 | IN | |
| 2025-01-10 19:24:03 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 59244 | 149.154.167.220 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:10 UTC | 296 | OUT | |
| 2025-01-10 19:24:10 UTC | 1090 | OUT | |
| 2025-01-10 19:24:10 UTC | 347 | IN | |
| 2025-01-10 19:24:10 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 59246 | 149.154.167.220 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:14 UTC | 296 | OUT | |
| 2025-01-10 19:24:14 UTC | 1090 | OUT | |
| 2025-01-10 19:24:14 UTC | 347 | IN | |
| 2025-01-10 19:24:14 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 59248 | 149.154.167.220 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:17 UTC | 296 | OUT | |
| 2025-01-10 19:24:17 UTC | 1090 | OUT | |
| 2025-01-10 19:24:17 UTC | 347 | IN | |
| 2025-01-10 19:24:17 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 59250 | 149.154.167.220 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:19 UTC | 272 | OUT | |
| 2025-01-10 19:24:19 UTC | 1090 | OUT | |
| 2025-01-10 19:24:19 UTC | 347 | IN | |
| 2025-01-10 19:24:19 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 59252 | 149.154.167.220 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:21 UTC | 272 | OUT | |
| 2025-01-10 19:24:21 UTC | 1090 | OUT | |
| 2025-01-10 19:24:21 UTC | 347 | IN | |
| 2025-01-10 19:24:21 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.5 | 59254 | 149.154.167.220 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:23 UTC | 272 | OUT | |
| 2025-01-10 19:24:23 UTC | 1090 | OUT | |
| 2025-01-10 19:24:23 UTC | 347 | IN | |
| 2025-01-10 19:24:23 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.5 | 59256 | 149.154.167.220 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:24 UTC | 296 | OUT | |
| 2025-01-10 19:24:24 UTC | 1090 | OUT | |
| 2025-01-10 19:24:24 UTC | 347 | IN | |
| 2025-01-10 19:24:24 UTC | 58 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 10 | 192.168.2.5 | 59258 | 149.154.167.220 | 443 | 5852 | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 19:24:26 UTC | 272 | OUT | |
| 2025-01-10 19:24:26 UTC | 1090 | OUT | |
| 2025-01-10 19:24:26 UTC | 347 | IN | |
| 2025-01-10 19:24:26 UTC | 58 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:22:19 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 475'326 bytes |
| MD5 hash: | A2C795A981DDC798D11EC6E3ADE42301 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 14:23:42 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\FILHKLtCw0.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 475'326 bytes |
| MD5 hash: | A2C795A981DDC798D11EC6E3ADE42301 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 21.2% |
| Dynamic/Decrypted Code Coverage: | 13.9% |
| Signature Coverage: | 20.8% |
| Total number of Nodes: | 1517 |
| Total number of Limit Nodes: | 46 |
Graph
Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406398 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040686A Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407041 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 9.9% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 2.6% |
| Total number of Nodes: | 234 |
| Total number of Limit Nodes: | 15 |
Graph
Function 00114328 Relevance: 6.4, Strings: 5, Instructions: 193COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115F90 Relevance: 5.4, Strings: 4, Instructions: 442COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00119048 Relevance: 3.4, Strings: 2, Instructions: 899COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115968 Relevance: 3.0, Strings: 2, Instructions: 513COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3940E870 Relevance: 2.0, Strings: 1, Instructions: 764COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDBDF0 Relevance: 2.0, Strings: 1, Instructions: 758COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDA360 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED9D10 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDA9B0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED96C8 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDA9A0 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED96B8 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED8650 Relevance: .7, Instructions: 709COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838C638 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383803B0 Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38380C1A Relevance: .2, Instructions: 235COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38380C28 Relevance: .2, Instructions: 220COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38380F6F Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDBA97 Relevance: .2, Instructions: 191COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDBA8E Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED8640 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDC92F Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED9D00 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDA352 Relevance: .1, Instructions: 109COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001166B8 Relevance: 10.5, Strings: 8, Instructions: 476COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39400980 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001119B8 Relevance: 5.3, Strings: 4, Instructions: 317COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDD548 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00110B20 Relevance: 4.0, Strings: 3, Instructions: 205COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00110B30 Relevance: 4.0, Strings: 3, Instructions: 200COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED7920 Relevance: 3.9, Strings: 3, Instructions: 147COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114F00 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118D90 Relevance: 2.8, Strings: 2, Instructions: 319COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115460 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDFAB8 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118BF0 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00112C88 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00117EC0 Relevance: 2.6, Strings: 2, Instructions: 103COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDFAA8 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED7922 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39400104 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39400110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39401854 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39400BC1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39400BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39402019 Relevance: 1.5, APIs: 1, Instructions: 48timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3940D4C8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3940C618 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3940C6C4 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39402020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3940E7A8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00119EB0 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDD370 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED962C Relevance: 1.3, Strings: 1, Instructions: 39COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDC175 Relevance: .3, Instructions: 322COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDC173 Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116C98 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011AF90 Relevance: .2, Instructions: 194COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDC4CF Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDCC28 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00113168 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED8721 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDB896 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001192C3 Relevance: .1, Instructions: 125COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114620 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B1B7 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116F40 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001152BA Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001118C8 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D4DC Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD030 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B2C2 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114612 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011324D Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118729 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00110EC8 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FE60 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001193A1 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001152C8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001117B8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B2E0 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D4D7 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDB9C8 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDB9C7 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD02B Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114E5F Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDEBD4 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B2F0 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDCE51 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FC38 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDCE60 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED964C Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B158 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FE10 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00111877 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FE20 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00111888 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FF21 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001156FF Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00119F6D Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDCF31 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FF30 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDD49D Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED961C Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDBD48 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115710 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FFB0 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED9544 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032A0 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 401stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDAFF8 Relevance: 23.0, Strings: 18, Instructions: 461COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDAFE8 Relevance: 12.9, Strings: 10, Instructions: 361COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDAFF7 Relevance: 12.9, Strings: 10, Instructions: 361COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED7B4F Relevance: 3.1, Strings: 2, Instructions: 611COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED8193 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED8373 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838B930 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838B07F Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838B4D8 Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838DEE1 Relevance: .3, Instructions: 273COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838DA89 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838EBF2 Relevance: .3, Instructions: 270COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED7070 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED1858 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED4820 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED29B8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED2108 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED5AB8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED3268 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED5208 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED43C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED6368 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED3B18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED74C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED1CB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED1400 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED6C18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED4DB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED2560 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED36C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED5660 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED2E10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED67C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED0FA8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED3F70 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38ED5F10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838C1F2 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838E790 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838F054 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838E339 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3838BD9C Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38EDCBE7 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B6 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040389E Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045B4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406077 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405683 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00111A40 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001158E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|