Edit tour
Windows
Analysis Report
4AMVusDMPP.exe
Overview
General Information
| Sample name: | 4AMVusDMPP.exerenamed because original name is a hash value |
| Original sample name: | 815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a.exe |
| Analysis ID: | 1588355 |
| MD5: | ed6f1c14e085e4fbc7c47f894f2140b9 |
| SHA1: | 1757c800b765345d51a261e11ebe1d89f05c4865 |
| SHA256: | 815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a |
| Tags: | exeGuLoaderuser-adrian__luca |
| Infos: |  |
 | |
Detection
GuLoader, MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
4AMVusDMPP.exe (PID: 2740 cmdline:
"C:\Users\ user\Deskt op\4AMVusD MPP.exe" MD5: ED6F1C14E085E4FBC7C47F894F2140B9) "C:\Users\ user\Deskt op\4AMVusD MPP.exe" MD5: ED6F1C14E085E4FBC7C47F894F2140B9)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"C2 url": "https://api.telegram.org/bot7234679344:AAGl5nGx0Ytu5pL8H_Rv2nR7Ahy85jEjxEI/sendMessage"}{"EXfil Mode": "Telegram", "Telegram Token": "7234679344:AAGl5nGx0Ytu5pL8H_Rv2nR7Ahy85jEjxEI", "Telegram Chatid": "6897585916"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| Click to see the 2 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T01:23:10.402399+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.8 | 49710 | 149.154.167.220 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T01:23:01.587651+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49708 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T01:23:09.493922+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49708 | 132.226.247.73 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T01:22:56.569418+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49706 | 142.250.186.78 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T01:23:10.131639+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.8 | 49710 | 149.154.167.220 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 3_2_3592D1EC | |
| Source: | Code function: | 3_2_3592D9D9 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040672B | |
| Source: | Code function: | 0_2_00405AFA | |
| Source: | Code function: | 0_2_00402868 | |
| Source: | Code function: | 3_2_00402868 | |
| Source: | Code function: | 3_2_0040672B | |
| Source: | Code function: | 3_2_00405AFA | |
| Source: | Code function: | 3_2_35920C28 | |
| Source: | Code function: | 3_2_3592C638 | |
| Source: | Code function: | 3_2_359203AF | |
| Source: | Code function: | 3_2_3592BD88 | |
| Source: | Code function: | 3_2_3592B4EC | |
| Source: | Code function: | 3_2_35920C1A | |
| Source: | Code function: | 3_2_3592E790 | |
| Source: | Code function: | 3_2_35920F6F | |
| Source: | Code function: | 3_2_3592DEE1 | |
| Source: | Code function: | 3_2_3592C1F2 | |
| Source: | Code function: | 3_2_3592B944 | |
| Source: | Code function: | 3_2_3592F041 | |
| Source: | Code function: | 3_2_3592B07F | |
| Source: | Code function: | 3_2_3592EBF2 | |
| Source: | Code function: | 3_2_3592E339 | |
| Source: | Code function: | 3_2_3592DA89 | |
| Source: | Code function: | 3_2_36488650 | |
| Source: | Code function: | 3_2_36488650 | |
| Source: | Code function: | 3_2_3648BDF0 | |
| Source: | Code function: | 3_2_36485660 | |
| Source: | Code function: | 3_2_36482E10 | |
| Source: | Code function: | 3_2_364836C0 | |
| Source: | Code function: | 3_2_36483F70 | |
| Source: | Code function: | 3_2_36485F10 | |
| Source: | Code function: | 3_2_364867C0 | |
| Source: | Code function: | 3_2_36480FA8 | |
| Source: | Code function: | 3_2_36481400 | |
| Source: | Code function: | 3_2_36486C18 | |
| Source: | Code function: | 3_2_364874C8 | |
| Source: | Code function: | 3_2_36481CB0 | |
| Source: | Code function: | 3_2_36482560 | |
| Source: | Code function: | 3_2_36484DB0 | |
| Source: | Code function: | 3_2_36483268 | |
| Source: | Code function: | 3_2_36485208 | |
| Source: | Code function: | 3_2_36485AB8 | |
| Source: | Code function: | 3_2_36487B4F | |
| Source: | Code function: | 3_2_36486368 | |
| Source: | Code function: | 3_2_36488373 | |
| Source: | Code function: | 3_2_36483B18 | |
| Source: | Code function: | 3_2_364843C8 | |
| Source: | Code function: | 3_2_3648CBE7 | |
| Source: | Code function: | 3_2_36481858 | |
| Source: | Code function: | 3_2_36487070 | |
| Source: | Code function: | 3_2_36484820 | |
| Source: | Code function: | 3_2_36482108 | |
| Source: | Code function: | 3_2_3648C92F | |
| Source: | Code function: | 3_2_36488193 | |
| Source: | Code function: | 3_2_364829B8 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0040558F | |
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Code function: | 3_2_004034A5 | |
| Source: | Code function: | 0_2_00404DCC | |
| Source: | Code function: | 0_2_00406AF2 | |
| Source: | Code function: | 0_2_6E881B5F | |
| Source: | Code function: | 3_2_00404DCC | |
| Source: | Code function: | 3_2_00406AF2 | |
| Source: | Code function: | 3_2_00154328 | |
| Source: | Code function: | 3_2_00158DA0 | |
| Source: | Code function: | 3_2_00155968 | |
| Source: | Code function: | 3_2_00155F90 | |
| Source: | Code function: | 3_2_00152DD1 | |
| Source: | Code function: | 3_2_35922D68 | |
| Source: | Code function: | 3_2_3592CCA0 | |
| Source: | Code function: | 3_2_3592C638 | |
| Source: | Code function: | 3_2_3592F650 | |
| Source: | Code function: | 3_2_35922130 | |
| Source: | Code function: | 3_2_35927848 | |
| Source: | Code function: | 3_2_359203AF | |
| Source: | Code function: | 3_2_3592331A | |
| Source: | Code function: | 3_2_3592BD88 | |
| Source: | Code function: | 3_2_3592CC91 | |
| Source: | Code function: | 3_2_3592B4EC | |
| Source: | Code function: | 3_2_3592E79F | |
| Source: | Code function: | 3_2_35926E91 | |
| Source: | Code function: | 3_2_35927EBA | |
| Source: | Code function: | 3_2_35926EA0 | |
| Source: | Code function: | 3_2_35927EF6 | |
| Source: | Code function: | 3_2_3592DEE1 | |
| Source: | Code function: | 3_2_3592C1F2 | |
| Source: | Code function: | 3_2_3592B944 | |
| Source: | Code function: | 3_2_3592F041 | |
| Source: | Code function: | 3_2_3592B07F | |
| Source: | Code function: | 3_2_3592EBF7 | |
| Source: | Code function: | 3_2_3592E339 | |
| Source: | Code function: | 3_2_3592DA89 | |
| Source: | Code function: | 3_2_36488650 | |
| Source: | Code function: | 3_2_364896C8 | |
| Source: | Code function: | 3_2_36489D10 | |
| Source: | Code function: | 3_2_3648BDF0 | |
| Source: | Code function: | 3_2_3648A360 | |
| Source: | Code function: | 3_2_3648A9B0 | |
| Source: | Code function: | 3_2_36488640 | |
| Source: | Code function: | 3_2_36485650 | |
| Source: | Code function: | 3_2_36485660 | |
| Source: | Code function: | 3_2_36482E10 | |
| Source: | Code function: | 3_2_364836C0 | |
| Source: | Code function: | 3_2_364896B8 | |
| Source: | Code function: | 3_2_364836B0 | |
| Source: | Code function: | 3_2_36483F60 | |
| Source: | Code function: | 3_2_36483F70 | |
| Source: | Code function: | 3_2_36485F01 | |
| Source: | Code function: | 3_2_36485F10 | |
| Source: | Code function: | 3_2_364867C0 | |
| Source: | Code function: | 3_2_3648AFE8 | |
| Source: | Code function: | 3_2_3648AFF8 | |
| Source: | Code function: | 3_2_3648AFF7 | |
| Source: | Code function: | 3_2_36480FA8 | |
| Source: | Code function: | 3_2_364867B0 | |
| Source: | Code function: | 3_2_36486C09 | |
| Source: | Code function: | 3_2_36481400 | |
| Source: | Code function: | 3_2_36486C18 | |
| Source: | Code function: | 3_2_364874C8 | |
| Source: | Code function: | 3_2_36481CA0 | |
| Source: | Code function: | 3_2_364874B8 | |
| Source: | Code function: | 3_2_36481CB0 | |
| Source: | Code function: | 3_2_36482550 | |
| Source: | Code function: | 3_2_36482560 | |
| Source: | Code function: | 3_2_36489D00 | |
| Source: | Code function: | 3_2_36484DA0 | |
| Source: | Code function: | 3_2_36484DB0 | |
| Source: | Code function: | 3_2_36483268 | |
| Source: | Code function: | 3_2_36485208 | |
| Source: | Code function: | 3_2_36485207 | |
| Source: | Code function: | 3_2_3648BA97 | |
| Source: | Code function: | 3_2_36485AA8 | |
| Source: | Code function: | 3_2_36485AB8 | |
| Source: | Code function: | 3_2_36487B4F | |
| Source: | Code function: | 3_2_36486358 | |
| Source: | Code function: | 3_2_3648A353 | |
| Source: | Code function: | 3_2_36486368 | |
| Source: | Code function: | 3_2_36483B08 | |
| Source: | Code function: | 3_2_36483B18 | |
| Source: | Code function: | 3_2_364843C8 | |
| Source: | Code function: | 3_2_364843B9 | |
| Source: | Code function: | 3_2_36480040 | |
| Source: | Code function: | 3_2_36481858 | |
| Source: | Code function: | 3_2_36487061 | |
| Source: | Code function: | 3_2_36487070 | |
| Source: | Code function: | 3_2_36484810 | |
| Source: | Code function: | 3_2_36484820 | |
| Source: | Code function: | 3_2_36482108 | |
| Source: | Code function: | 3_2_3648F120 | |
| Source: | Code function: | 3_2_3648F130 | |
| Source: | Code function: | 3_2_364829A8 | |
| Source: | Code function: | 3_2_3648A9A0 | |
| Source: | Code function: | 3_2_364829B8 | |
| Source: | Code function: | 3_2_367ED608 | |
| Source: | Code function: | 3_2_367E8328 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Code function: | 3_2_004034A5 | |
| Source: | Code function: | 0_2_00404850 | |
| Source: | Code function: | 0_2_00402104 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_6E881B5F | |
| Source: | Code function: | 3_3_001949CD | |
| Source: | Code function: | 3_2_0015ACAA | |
| Source: | Code function: | 3_2_0015ACAA | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040672B | |
| Source: | Code function: | 0_2_00405AFA | |
| Source: | Code function: | 0_2_00402868 | |
| Source: | Code function: | 3_2_00402868 | |
| Source: | Code function: | 3_2_0040672B | |
| Source: | Code function: | 3_2_00405AFA | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-4590 | ||
| Source: | API call chain: | graph_0-4746 | ||
| Source: | Code function: | 0_2_6E881B5F | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 1 OS Credential Dumping | 1 Query Registry | Remote Services | 1 Email Collection | 1 Web Service | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 31 Disable or Modify Tools | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 31 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 1 Data from Local System | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | 1 Clipboard Data | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | 215 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 3 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Trojan.Guloader | ||
| 76% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1337946 |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 142.250.186.78 | true | false | high | |
| drive.usercontent.google.com | 142.250.185.129 | true | false | high | |
| reallyfreegeoip.org | 104.21.32.1 | true | false | high | |
| api.telegram.org | 149.154.167.220 | true | false | high | |
| checkip.dyndns.com | 132.226.247.73 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 142.250.186.78 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
| 142.250.185.129 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 104.21.32.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 132.226.247.73 | checkip.dyndns.com | United States | 16989 | UTMEMUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1588355 |
| Start date and time: | 2025-01-11 01:21:15 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 15s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 4AMVusDMPP.exerenamed because original name is a hash value |
| Original Sample Name: | 815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/8@5/5 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 149.154.167.220 | Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse | ||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse | |||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| 104.21.32.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | CMSBrute | Browse |
| ||
| 132.226.247.73 | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| reallyfreegeoip.org | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| checkip.dyndns.com | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| api.telegram.org | Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| UTMEMUS | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AsyncRAT, StormKitty, WorldWind Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nslE077.tmp\System.dll | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 484658 |
| Entropy (8bit): | 7.809711763657168 |
| Encrypted: | false |
| SSDEEP: | 12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd |
| MD5: | 5C727AE28F0DECF497FBB092BAE01B4E |
| SHA1: | AADE364AE8C2C91C6F59F85711B53078FB0763B7 |
| SHA-256: | 77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80 |
| SHA-512: | 5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 112291 |
| Entropy (8bit): | 1.249420131631438 |
| Encrypted: | false |
| SSDEEP: | 768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD |
| MD5: | 4D1D72CFC5940B09DFBD7B65916F532E |
| SHA1: | 30A45798B534842002B103A36A3B907063F8A96C |
| SHA-256: | 479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496 |
| SHA-512: | 048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 286225 |
| Entropy (8bit): | 7.710114949306163 |
| Encrypted: | false |
| SSDEEP: | 6144:tIDUHdfSOxO7G+xkFHmRKJCbqkLdzd2DI22C9pYV:t5xhC/6FHQGwqmB+I6S |
| MD5: | 34F265250B7ED15DC0990A62F24E4D46 |
| SHA1: | 9B704DA4147DFCF5A8E79E6510344D69BFD4DA51 |
| SHA-256: | ED4A13E1A9C95FCE5A54AB84B479D07F8900E58C6A4B4CE71D442FA3171F4FF4 |
| SHA-512: | C990A4472DB4D9EE7E766DE924AB2A843971BC1624C8A79099709B27BBA04B5223C47362588C1DFD835CD45E14CD03E5D8BD17BC198858BB6AD38DCE316734D0 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 362089 |
| Entropy (8bit): | 1.23992084267325 |
| Encrypted: | false |
| SSDEEP: | 768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB |
| MD5: | A4340182CDDD2EC1F1480360218343F9 |
| SHA1: | 50EF929FEA713AA6FCC05E8B75F497B7946B285B |
| SHA-256: | B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3 |
| SHA-512: | 021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 139354 |
| Entropy (8bit): | 1.2473328695625903 |
| Encrypted: | false |
| SSDEEP: | 768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp |
| MD5: | B0FB6B583D6902DE58E1202D12BA4832 |
| SHA1: | 7F585B5C3A4581CE76E373C78A6513F157B20480 |
| SHA-256: | E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661 |
| SHA-512: | E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29090 |
| Entropy (8bit): | 4.557557000479259 |
| Encrypted: | false |
| SSDEEP: | 768:pHSuQk1y9dJm5jpRjBzovMg5UmxBCedq+:pHb0yRjB5ga+r3 |
| MD5: | E6704DB94EBC651D67A06C37F49BE45B |
| SHA1: | 291DDC7027CB3DEE53C9D67B2EA8200AF11352D2 |
| SHA-256: | EB2552A216C6B17EDCD5C758F162A778047B8EB25F7927C48591FBE87F7EF21C |
| SHA-512: | 4DAB316D438F748E21CCD8865D43BE332712A3BA2A12B7C53FB023E8D59F0429D39E03702E9C20A82B02ECD27133107C448722354E41E382949819EEEBC87542 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1439902 |
| Entropy (8bit): | 5.50423023217672 |
| Encrypted: | false |
| SSDEEP: | 24576:vI5xhHFHNZm2Ro3xX3y4bz2lWwWo6rSTZye:+tZtRoBXbz2luo6rS1ye |
| MD5: | C0586E009617EADA0D82E3C7809D4169 |
| SHA1: | DE3E11D2209A23DEECC8CBA975042CBAD8E49C5F |
| SHA-256: | 7A3A77EEC2C93A1792B7B2D3BE81E4E3A8296AC20798B163876B768480E8396F |
| SHA-512: | ECF2323E8C6AE3438A1BF87DAFFD8910512B02E8C94FA0244192B2DA2DD7711F58135D98A1C9D2316CD19A8C0B6354D8D7D198F84683655EC16212D3997026E3 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 5.719859767584478 |
| Encrypted: | false |
| SSDEEP: | 192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6 |
| MD5: | 0D7AD4F45DC6F5AA87F606D0331C6901 |
| SHA1: | 48DF0911F0484CBE2A8CDD5362140B63C41EE457 |
| SHA-256: | 3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA |
| SHA-512: | C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 7.958154658093199 |
| TrID: |
|
| File name: | 4AMVusDMPP.exe |
| File size: | 997'399 bytes |
| MD5: | ed6f1c14e085e4fbc7c47f894f2140b9 |
| SHA1: | 1757c800b765345d51a261e11ebe1d89f05c4865 |
| SHA256: | 815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a |
| SHA512: | 2b4e7c8669272fd353516d9ba3931536106d480fa11731b445715830098f3f74884f661702bdf25e3d50d1424920f08e1743b2ff4ca65291f3a8f3f98c7fe385 |
| SSDEEP: | 24576:9jwKCNd9QdnQK3gxR4Fm9/brSz8pCKDzJyhb1hy5xVgQ7O:V1CqnQc6YKPJyhbzyziV |
| TLSH: | 0025230BF5C3EDAFC5A7C83598B65A97E8BBAD032480D143B374361E5C752E18826793 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*..... |
 | |
| Icon Hash: | 46224e4c19391d03 |
| Entrypoint: | 0x4034a5 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1f23f452093b5c1ff091a2f9fb4fa3e9 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push esi |
| push edi |
| push 00000020h |
| pop edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+14h], ebx |
| mov dword ptr [esp+10h], 0040A230h |
| mov dword ptr [esp+1Ch], ebx |
| call dword ptr [004080ACh] |
| call dword ptr [004080A8h] |
| and eax, BFFFFFFFh |
| cmp ax, 00000006h |
| mov dword ptr [0042A24Ch], eax |
| je 00007FBD04F21753h |
| push ebx |
| call 00007FBD04F24A1Dh |
| cmp eax, ebx |
| je 00007FBD04F21749h |
| push 00000C00h |
| call eax |
| mov esi, 004082B0h |
| push esi |
| call 00007FBD04F24997h |
| push esi |
| call dword ptr [00408150h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], 00000000h |
| jne 00007FBD04F2172Ch |
| push 0000000Ah |
| call 00007FBD04F249F0h |
| push 00000008h |
| call 00007FBD04F249E9h |
| push 00000006h |
| mov dword ptr [0042A244h], eax |
| call 00007FBD04F249DDh |
| cmp eax, ebx |
| je 00007FBD04F21751h |
| push 0000001Eh |
| call eax |
| test eax, eax |
| je 00007FBD04F21749h |
| or byte ptr [0042A24Fh], 00000040h |
| push ebp |
| call dword ptr [00408044h] |
| push ebx |
| call dword ptr [004082A0h] |
| mov dword ptr [0042A318h], eax |
| push ebx |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebx |
| push 004216E8h |
| call dword ptr [00408188h] |
| push 0040A384h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x55000 | 0x21068 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6409 | 0x6600 | bfe2b726d49cbd922b87bad5eea65e61 | False | 0.6540287990196079 | data | 6.416186322230332 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1396 | 0x1400 | d45dcba8ca646543f7e339e20089687e | False | 0.45234375 | data | 5.154907432640367 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x20358 | 0x600 | 8575fc5e872ca789611c386779287649 | False | 0.5026041666666666 | data | 4.004402321344153 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x2b000 | 0x2a000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x55000 | 0x21068 | 0x21200 | 03ed2ed76ba15352dac9e48819696134 | False | 0.8714696344339623 | data | 7.556190648348207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x554c0 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x55828 | 0xc2a3 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9966684729162903 |
| RT_ICON | 0x61ad0 | 0x86e0 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.990210843373494 |
| RT_ICON | 0x6a1b0 | 0x5085 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9867559307233299 |
| RT_ICON | 0x6f238 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4358921161825726 |
| RT_ICON | 0x717e0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.4896810506566604 |
| RT_ICON | 0x72888 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.5367803837953091 |
| RT_ICON | 0x73730 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.6913357400722022 |
| RT_ICON | 0x73fd8 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.38597560975609757 |
| RT_ICON | 0x74640 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.4934971098265896 |
| RT_ICON | 0x74ba8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.651595744680851 |
| RT_ICON | 0x75010 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.46908602150537637 |
| RT_ICON | 0x752f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.5472972972972973 |
| RT_DIALOG | 0x75420 | 0x120 | data | English | United States | 0.53125 |
| RT_DIALOG | 0x75540 | 0x118 | data | English | United States | 0.5678571428571428 |
| RT_DIALOG | 0x75658 | 0x120 | data | English | United States | 0.5104166666666666 |
| RT_DIALOG | 0x75778 | 0xf8 | data | English | United States | 0.6330645161290323 |
| RT_DIALOG | 0x75870 | 0xa0 | data | English | United States | 0.6125 |
| RT_DIALOG | 0x75910 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x75970 | 0xae | data | English | United States | 0.6091954022988506 |
| RT_VERSION | 0x75a20 | 0x308 | data | English | United States | 0.47036082474226804 |
| RT_MANIFEST | 0x75d28 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
| DLL | Import |
|---|---|
| KERNEL32.dll | ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
| ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T01:22:56.569418+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.8 | 49706 | 142.250.186.78 | 443 | TCP |
| 2025-01-11T01:23:01.587651+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.8 | 49708 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T01:23:09.493922+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.8 | 49708 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T01:23:10.131639+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.8 | 49710 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T01:23:10.402399+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.8 | 49710 | 149.154.167.220 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 01:22:55.309345007 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:55.309362888 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:55.309446096 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:55.363490105 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:55.363526106 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.185502052 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.185579062 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.186259031 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.186314106 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.251631975 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.251682997 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.252084970 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.252156973 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.255968094 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.299328089 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.569380045 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.569519997 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.569550037 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.569603920 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.569762945 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.569808960 CET | 443 | 49706 | 142.250.186.78 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.569861889 CET | 49706 | 443 | 192.168.2.8 | 142.250.186.78 |
| Jan 11, 2025 01:22:56.599575043 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:56.599606037 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.599678993 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:56.599936008 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:56.599950075 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:57.308810949 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:57.308940887 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:57.313714027 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:57.313728094 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:57.314136028 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:57.314208031 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:57.314613104 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:57.355336905 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:59.911990881 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:59.912100077 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:59.917577982 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:59.917866945 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:59.930141926 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:59.930253983 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:59.930275917 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:59.930352926 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:22:59.935959101 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:22:59.939536095 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.001990080 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.002227068 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.002275944 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.002275944 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.002295971 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.002413988 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.002423048 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.002505064 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.007819891 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.008852959 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.008863926 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.009010077 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.012815952 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.015564919 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.015575886 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.015638113 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.019098997 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.019176006 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.019200087 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.019249916 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.025326967 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.026171923 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.026180029 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.026231050 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.031683922 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.035553932 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.035563946 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.035670996 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.037817001 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.037911892 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.037919998 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.038007021 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.043915033 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.044243097 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.044255018 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.044460058 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.049159050 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.049314022 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.049323082 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.049421072 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.065597057 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.065682888 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.065828085 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.065840960 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.067965031 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.068038940 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.068051100 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.068170071 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.092554092 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.092693090 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.092705965 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.092788935 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.092794895 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.092840910 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.092876911 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.092878103 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.092886925 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.092904091 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.093012094 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.093012094 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.093550920 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.093635082 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.093677044 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.093687057 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.093732119 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.093740940 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.093797922 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.096827030 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.096899033 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.098367929 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.098511934 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.102272987 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.102451086 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.102458954 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.102524996 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.107243061 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.107521057 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.107532024 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.107579947 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.112201929 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.112282991 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.112292051 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.112390995 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.116775990 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.116938114 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.116954088 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.117068052 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.121553898 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.121629000 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.121638060 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.121695042 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.126187086 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.126283884 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.126291990 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.126326084 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.130695105 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.130800962 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.130846024 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.131022930 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.135329962 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.135395050 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.135406017 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.135817051 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.139938116 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.140085936 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.140095949 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.140140057 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.144313097 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.144531012 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.144539118 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.144639969 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.148511887 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.148607016 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.148632050 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.148648024 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.148750067 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.148788929 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.148788929 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.148788929 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.148806095 CET | 443 | 49707 | 142.250.185.129 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.148852110 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.148852110 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.148888111 CET | 49707 | 443 | 192.168.2.8 | 142.250.185.129 |
| Jan 11, 2025 01:23:00.588213921 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:23:00.593149900 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.593233109 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:23:00.593863964 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:23:00.598659039 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Jan 11, 2025 01:23:01.328577995 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Jan 11, 2025 01:23:01.333426952 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:23:01.338337898 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Jan 11, 2025 01:23:01.543998957 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Jan 11, 2025 01:23:01.587651014 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:23:02.986728907 CET | 49709 | 443 | 192.168.2.8 | 104.21.32.1 |
| Jan 11, 2025 01:23:02.986773968 CET | 443 | 49709 | 104.21.32.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:02.986839056 CET | 49709 | 443 | 192.168.2.8 | 104.21.32.1 |
| Jan 11, 2025 01:23:02.989865065 CET | 49709 | 443 | 192.168.2.8 | 104.21.32.1 |
| Jan 11, 2025 01:23:02.989883900 CET | 443 | 49709 | 104.21.32.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:03.458486080 CET | 443 | 49709 | 104.21.32.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:03.458579063 CET | 49709 | 443 | 192.168.2.8 | 104.21.32.1 |
| Jan 11, 2025 01:23:03.462100029 CET | 49709 | 443 | 192.168.2.8 | 104.21.32.1 |
| Jan 11, 2025 01:23:03.462121964 CET | 443 | 49709 | 104.21.32.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:03.462490082 CET | 443 | 49709 | 104.21.32.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:03.466167927 CET | 49709 | 443 | 192.168.2.8 | 104.21.32.1 |
| Jan 11, 2025 01:23:03.507339954 CET | 443 | 49709 | 104.21.32.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:03.608159065 CET | 443 | 49709 | 104.21.32.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:03.608243942 CET | 443 | 49709 | 104.21.32.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:03.608335018 CET | 49709 | 443 | 192.168.2.8 | 104.21.32.1 |
| Jan 11, 2025 01:23:03.646020889 CET | 49709 | 443 | 192.168.2.8 | 104.21.32.1 |
| Jan 11, 2025 01:23:09.234652996 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:23:09.239633083 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Jan 11, 2025 01:23:09.450618982 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Jan 11, 2025 01:23:09.461987972 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:23:09.462013006 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:09.462069035 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:23:09.462574959 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:23:09.462585926 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:09.493921995 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:23:10.085494995 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:10.085704088 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:23:10.087621927 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:23:10.087636948 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:10.087899923 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:10.089472055 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:23:10.131333113 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:10.131417036 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:23:10.131423950 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:10.402487993 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:10.402731895 CET | 443 | 49710 | 149.154.167.220 | 192.168.2.8 |
| Jan 11, 2025 01:23:10.402817011 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:23:10.403279066 CET | 49710 | 443 | 192.168.2.8 | 149.154.167.220 |
| Jan 11, 2025 01:24:14.450553894 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Jan 11, 2025 01:24:14.451694965 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:24:49.447598934 CET | 49708 | 80 | 192.168.2.8 | 132.226.247.73 |
| Jan 11, 2025 01:24:49.452637911 CET | 80 | 49708 | 132.226.247.73 | 192.168.2.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 01:22:55.297811031 CET | 60428 | 53 | 192.168.2.8 | 1.1.1.1 |
| Jan 11, 2025 01:22:55.304408073 CET | 53 | 60428 | 1.1.1.1 | 192.168.2.8 |
| Jan 11, 2025 01:22:56.591552019 CET | 65368 | 53 | 192.168.2.8 | 1.1.1.1 |
| Jan 11, 2025 01:22:56.598787069 CET | 53 | 65368 | 1.1.1.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:00.576227903 CET | 55673 | 53 | 192.168.2.8 | 1.1.1.1 |
| Jan 11, 2025 01:23:00.583519936 CET | 53 | 55673 | 1.1.1.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:01.909193993 CET | 60584 | 53 | 192.168.2.8 | 1.1.1.1 |
| Jan 11, 2025 01:23:02.826745033 CET | 53 | 60584 | 1.1.1.1 | 192.168.2.8 |
| Jan 11, 2025 01:23:09.454308033 CET | 52211 | 53 | 192.168.2.8 | 1.1.1.1 |
| Jan 11, 2025 01:23:09.461272955 CET | 53 | 52211 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 01:22:55.297811031 CET | 192.168.2.8 | 1.1.1.1 | 0x144b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 01:22:56.591552019 CET | 192.168.2.8 | 1.1.1.1 | 0x3c68 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 01:23:00.576227903 CET | 192.168.2.8 | 1.1.1.1 | 0x5eba | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 01:23:01.909193993 CET | 192.168.2.8 | 1.1.1.1 | 0x176d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 01:23:09.454308033 CET | 192.168.2.8 | 1.1.1.1 | 0x2404 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 01:22:55.304408073 CET | 1.1.1.1 | 192.168.2.8 | 0x144b | No error (0) | 142.250.186.78 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:22:56.598787069 CET | 1.1.1.1 | 192.168.2.8 | 0x3c68 | No error (0) | 142.250.185.129 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:00.583519936 CET | 1.1.1.1 | 192.168.2.8 | 0x5eba | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:00.583519936 CET | 1.1.1.1 | 192.168.2.8 | 0x5eba | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:00.583519936 CET | 1.1.1.1 | 192.168.2.8 | 0x5eba | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:00.583519936 CET | 1.1.1.1 | 192.168.2.8 | 0x5eba | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:00.583519936 CET | 1.1.1.1 | 192.168.2.8 | 0x5eba | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:00.583519936 CET | 1.1.1.1 | 192.168.2.8 | 0x5eba | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:02.826745033 CET | 1.1.1.1 | 192.168.2.8 | 0x176d | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:02.826745033 CET | 1.1.1.1 | 192.168.2.8 | 0x176d | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:02.826745033 CET | 1.1.1.1 | 192.168.2.8 | 0x176d | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:02.826745033 CET | 1.1.1.1 | 192.168.2.8 | 0x176d | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:02.826745033 CET | 1.1.1.1 | 192.168.2.8 | 0x176d | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:02.826745033 CET | 1.1.1.1 | 192.168.2.8 | 0x176d | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:02.826745033 CET | 1.1.1.1 | 192.168.2.8 | 0x176d | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 01:23:09.461272955 CET | 1.1.1.1 | 192.168.2.8 | 0x2404 | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49708 | 132.226.247.73 | 80 | 6976 | C:\Users\user\Desktop\4AMVusDMPP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 01:23:00.593863964 CET | 151 | OUT | |
| Jan 11, 2025 01:23:01.328577995 CET | 273 | IN | |
| Jan 11, 2025 01:23:01.333426952 CET | 127 | OUT | |
| Jan 11, 2025 01:23:01.543998957 CET | 273 | IN | |
| Jan 11, 2025 01:23:09.234652996 CET | 127 | OUT | |
| Jan 11, 2025 01:23:09.450618982 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49706 | 142.250.186.78 | 443 | 6976 | C:\Users\user\Desktop\4AMVusDMPP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 00:22:56 UTC | 216 | OUT | |
| 2025-01-11 00:22:56 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.8 | 49707 | 142.250.185.129 | 443 | 6976 | C:\Users\user\Desktop\4AMVusDMPP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 00:22:57 UTC | 258 | OUT | |
| 2025-01-11 00:22:59 UTC | 4945 | IN | |
| 2025-01-11 00:22:59 UTC | 4945 | IN | |
| 2025-01-11 00:22:59 UTC | 4807 | IN | |
| 2025-01-11 00:22:59 UTC | 1324 | IN | |
| 2025-01-11 00:22:59 UTC | 1390 | IN | |
| 2025-01-11 00:22:59 UTC | 1390 | IN | |
| 2025-01-11 00:22:59 UTC | 1390 | IN | |
| 2025-01-11 00:22:59 UTC | 1390 | IN | |
| 2025-01-11 00:22:59 UTC | 1390 | IN | |
| 2025-01-11 00:22:59 UTC | 1390 | IN | |
| 2025-01-11 00:23:00 UTC | 1390 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.8 | 49709 | 104.21.32.1 | 443 | 6976 | C:\Users\user\Desktop\4AMVusDMPP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 00:23:03 UTC | 85 | OUT | |
| 2025-01-11 00:23:03 UTC | 853 | IN | |
| 2025-01-11 00:23:03 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.8 | 49710 | 149.154.167.220 | 443 | 6976 | C:\Users\user\Desktop\4AMVusDMPP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 00:23:10 UTC | 296 | OUT | |
| 2025-01-11 00:23:10 UTC | 1090 | OUT | |
| 2025-01-11 00:23:10 UTC | 388 | IN | |
| 2025-01-11 00:23:10 UTC | 540 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 19:22:15 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 997'399 bytes |
| MD5 hash: | ED6F1C14E085E4FBC7C47F894F2140B9 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 19:22:44 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\4AMVusDMPP.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 997'399 bytes |
| MD5 hash: | ED6F1C14E085E4FBC7C47F894F2140B9 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 20.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 19.6% |
| Total number of Nodes: | 1592 |
| Total number of Limit Nodes: | 39 |
Graph
Function 004034A5 Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 410stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E881B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F30 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E882AAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E882993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E882569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E8818D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E882394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E88161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6E8810E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 10.2% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 2.4% |
| Total number of Nodes: | 255 |
| Total number of Limit Nodes: | 17 |
Graph
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 35920C1A Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 35920C28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158DA0 Relevance: 1.1, Instructions: 1138COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648BDF0 Relevance: .8, Instructions: 758COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36488650 Relevance: .7, Instructions: 709COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155968 Relevance: .5, Instructions: 511COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155F90 Relevance: .5, Instructions: 467COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592C638 Relevance: .3, Instructions: 321COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 359203AF Relevance: .3, Instructions: 285COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36489D10 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648A360 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364896C8 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648A9B0 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 35920F6F Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154328 Relevance: .2, Instructions: 194COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648BA97 Relevance: .2, Instructions: 191COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36488640 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648A9A0 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364896B8 Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648C92F Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36489D00 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648A353 Relevance: .1, Instructions: 108COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367E0970 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367E0980 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150B29 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150B30 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367E0104 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367E0110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367E1DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367E0BC0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367E0BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367ED3E8 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367EC560 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 367E2020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158729 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157458 Relevance: .7, Instructions: 704COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001519B8 Relevance: .6, Instructions: 643COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001566B8 Relevance: .5, Instructions: 456COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154F00 Relevance: .3, Instructions: 329COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648C175 Relevance: .3, Instructions: 322COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648C173 Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155460 Relevance: .2, Instructions: 228COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156C98 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015AF90 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158A4B Relevance: .2, Instructions: 196COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158D90 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648FAB0 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648BA8F Relevance: .2, Instructions: 173COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648C4CF Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648D548 Relevance: .1, Instructions: 148COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36487920 Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648CC28 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00153168 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36488721 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001592C3 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159EB0 Relevance: .1, Instructions: 121COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158BF0 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154620 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156F30 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648CF68 Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156F40 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FE60 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648CF59 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001518C8 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D4DC Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001552C8 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD030 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36487922 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150EC8 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015324D Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648B97F Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015461D Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36489478 Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001552C0 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001517B8 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2C8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0009D4D7 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648B9C8 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648B9C7 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2E0 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD02B Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154E5F Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648CE50 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648E7F4 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2F0 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158D19 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FC3E Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648CE60 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364895E8 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36489608 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648D4C8 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648EC25 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B158 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FE12 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151877 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FE20 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FF22 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151888 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001556FF Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157EC0 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648CF30 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159F6D Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364895D8 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FF30 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648D095 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648BD48 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FFB0 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364894B4 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155710 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592DEE1 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36487B4F Relevance: .6, Instructions: 610COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592BD88 Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592B07F Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592F041 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592E339 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592DA89 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36485660 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36482E10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364836C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36483F70 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36485F10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364867C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36480FA8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36481400 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36486C18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364874C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36481CB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36482560 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36484DB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36483268 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36485208 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36485AB8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36486368 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36483B18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364843C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36481858 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36487070 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36484820 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36482108 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 364829B8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592C1F2 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592B4EC Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592B944 Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592E790 Relevance: .3, Instructions: 255COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3592EBF2 Relevance: .3, Instructions: 253COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36488193 Relevance: .2, Instructions: 193COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 36488373 Relevance: .1, Instructions: 116COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3648CBE7 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|