Edit tour
Windows
Analysis Report
14lVOjBoI2.exe
Overview
General Information
| Sample name: | 14lVOjBoI2.exerenamed because original name is a hash value |
| Original sample name: | ad3b51ce98d8e69775168649d8b4ffbee80c182b3fdb6cfa7f964548c70e9e75.exe |
| Analysis ID: | 1588928 |
| MD5: | ebf8a74191898b4a5cd58ffe2035c1ee |
| SHA1: | d73223724a73b0f7c3d0889247c50f97818ca4c0 |
| SHA256: | ad3b51ce98d8e69775168649d8b4ffbee80c182b3fdb6cfa7f964548c70e9e75 |
| Tags: | exeGuLoaderuser-adrian__luca |
| Infos: |  |
 | |
Detection
GuLoader, MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
14lVOjBoI2.exe (PID: 7572 cmdline: "C:\Users\ user\Deskt op\14lVOjB oI2.exe" MD5: EBF8A74191898B4A5CD58FFE2035C1EE) - 14lVOjBoI2.exe (PID: 8088 cmdline:
"C:\Users\ user\Deskt op\14lVOjB oI2.exe" MD5: EBF8A74191898B4A5CD58FFE2035C1EE)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"C2 url": "https://api.telegram.org/bot7950435483:AAFkeNvnoegSYKyL7niKKZ3tPB62z3LQcco/sendMessage"}{"EXfil Mode": "Telegram", "Telegram Token": "7950435483:AAFkeNvnoegSYKyL7niKKZ3tPB62z3LQcco", "Telegram Chatid": "6897585916"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| Click to see the 3 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:20:28.673274+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49713 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:32.352743+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49715 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:33.907815+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49717 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:36.397639+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49719 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:37.992261+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49721 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:39.600046+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49723 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:41.250577+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49725 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:45.361029+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49727 | 149.154.167.220 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:20:15.627680+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.9 | 49711 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:25.191376+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.9 | 49711 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:27.737418+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.9 | 49711 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:31.424576+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.9 | 49714 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:33.112153+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.9 | 49716 | 132.226.247.73 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:20:01.715417+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.9 | 49709 | 142.250.185.142 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:20:28.407804+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.9 | 49713 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:32.009754+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.9 | 49715 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:33.688144+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.9 | 49717 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:36.194186+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.9 | 49719 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:37.707556+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.9 | 49721 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:39.294053+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.9 | 49723 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:40.942200+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.9 | 49725 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:45.052385+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.9 | 49727 | 149.154.167.220 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 5_2_38D7D1EC | |
| Source: | Code function: | 5_2_38D7D9D9 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00405846 | |
| Source: | Code function: | 0_2_004027FB | |
| Source: | Code function: | 0_2_00406398 | |
| Source: | Code function: | 5_2_00405846 | |
| Source: | Code function: | 5_2_004027FB | |
| Source: | Code function: | 5_2_00406398 | |
| Source: | Code function: | 5_2_38D703AF | |
| Source: | Code function: | 5_2_38D70C28 | |
| Source: | Code function: | 5_2_38D7C638 | |
| Source: | Code function: | 5_2_38D7F044 | |
| Source: | Code function: | 5_2_38D7B07F | |
| Source: | Code function: | 5_2_38D7C1F2 | |
| Source: | Code function: | 5_2_38D7B930 | |
| Source: | Code function: | 5_2_38D7DA89 | |
| Source: | Code function: | 5_2_38D7EBF4 | |
| Source: | Code function: | 5_2_38D7E339 | |
| Source: | Code function: | 5_2_38D7B4EC | |
| Source: | Code function: | 5_2_38D70C1B | |
| Source: | Code function: | 5_2_38D7BD88 | |
| Source: | Code function: | 5_2_38D7DEE1 | |
| Source: | Code function: | 5_2_38D7E790 | |
| Source: | Code function: | 5_2_38D70F6F | |
| Source: | Code function: | 5_2_38DC6368 | |
| Source: | Code function: | 5_2_38DCBDF0 | |
| Source: | Code function: | 5_2_38DC8650 | |
| Source: | Code function: | 5_2_38DC8650 | |
| Source: | Code function: | 5_2_38DC1858 | |
| Source: | Code function: | 5_2_38DC7070 | |
| Source: | Code function: | 5_2_38DC4820 | |
| Source: | Code function: | 5_2_38DC29B8 | |
| Source: | Code function: | 5_2_38DC2108 | |
| Source: | Code function: | 5_2_38DC5AB8 | |
| Source: | Code function: | 5_2_38DC3268 | |
| Source: | Code function: | 5_2_38DC5208 | |
| Source: | Code function: | 5_2_38DC43C8 | |
| Source: | Code function: | 5_2_38DC7B4F | |
| Source: | Code function: | 5_2_38DC3B18 | |
| Source: | Code function: | 5_2_38DC74C8 | |
| Source: | Code function: | 5_2_38DC1CB0 | |
| Source: | Code function: | 5_2_38DC6C18 | |
| Source: | Code function: | 5_2_38DC1400 | |
| Source: | Code function: | 5_2_38DC4DB0 | |
| Source: | Code function: | 5_2_38DC2560 | |
| Source: | Code function: | 5_2_38DC36C0 | |
| Source: | Code function: | 5_2_38DC5660 | |
| Source: | Code function: | 5_2_38DC2E10 | |
| Source: | Code function: | 5_2_38DC67C0 | |
| Source: | Code function: | 5_2_38DC0FA8 | |
| Source: | Code function: | 5_2_38DC3F70 | |
| Source: | Code function: | 5_2_38DC5F10 | |
| Source: | Code function: | 5_2_392CE5C8 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004052F3 | |
| Source: | Process Stats: | ||
| Source: | Code function: | 5_2_392C3D01 | |
| Source: | Code function: | 5_2_392C3D40 | |
| Source: | Code function: | 5_2_392C3CE0 | |
| Source: | Code function: | 0_2_004032A0 | |
| Source: | Code function: | 5_2_004032A0 | |
| Source: | Code function: | 0_2_00404B30 | |
| Source: | Code function: | 0_2_00407041 | |
| Source: | Code function: | 0_2_0040686A | |
| Source: | Code function: | 5_2_00407041 | |
| Source: | Code function: | 5_2_0040686A | |
| Source: | Code function: | 5_2_00404B30 | |
| Source: | Code function: | 5_2_00114328 | |
| Source: | Code function: | 5_2_001127B9 | |
| Source: | Code function: | 5_2_00118DA0 | |
| Source: | Code function: | 5_2_00115F90 | |
| Source: | Code function: | 5_2_00112DD1 | |
| Source: | Code function: | 5_2_38D758F0 | |
| Source: | Code function: | 5_2_38D77848 | |
| Source: | Code function: | 5_2_38D703AF | |
| Source: | Code function: | 5_2_38D7331B | |
| Source: | Code function: | 5_2_38D7CCA0 | |
| Source: | Code function: | 5_2_38D7C638 | |
| Source: | Code function: | 5_2_38D7F044 | |
| Source: | Code function: | 5_2_38D7B07F | |
| Source: | Code function: | 5_2_38D769CB | |
| Source: | Code function: | 5_2_38D7C1F2 | |
| Source: | Code function: | 5_2_38D7B930 | |
| Source: | Code function: | 5_2_38D7DA89 | |
| Source: | Code function: | 5_2_38D76A43 | |
| Source: | Code function: | 5_2_38D7EBF7 | |
| Source: | Code function: | 5_2_38D7E339 | |
| Source: | Code function: | 5_2_38D7B4EC | |
| Source: | Code function: | 5_2_38D7CC8E | |
| Source: | Code function: | 5_2_38D7BD88 | |
| Source: | Code function: | 5_2_38D7DEE1 | |
| Source: | Code function: | 5_2_38D76EA0 | |
| Source: | Code function: | 5_2_38D7E79F | |
| Source: | Code function: | 5_2_38D77F09 | |
| Source: | Code function: | 5_2_38DCA9B0 | |
| Source: | Code function: | 5_2_38DC6368 | |
| Source: | Code function: | 5_2_38DCA360 | |
| Source: | Code function: | 5_2_38DCBDF0 | |
| Source: | Code function: | 5_2_38DC9D10 | |
| Source: | Code function: | 5_2_38DC96C8 | |
| Source: | Code function: | 5_2_38DC8650 | |
| Source: | Code function: | 5_2_38DC20F8 | |
| Source: | Code function: | 5_2_38DC1858 | |
| Source: | Code function: | 5_2_38DC184C | |
| Source: | Code function: | 5_2_38DC0040 | |
| Source: | Code function: | 5_2_38DC7070 | |
| Source: | Code function: | 5_2_38DC7061 | |
| Source: | Code function: | 5_2_38DC4814 | |
| Source: | Code function: | 5_2_38DC4820 | |
| Source: | Code function: | 5_2_38DC29B8 | |
| Source: | Code function: | 5_2_38DCA9AF | |
| Source: | Code function: | 5_2_38DC29A8 | |
| Source: | Code function: | 5_2_38DC2108 | |
| Source: | Code function: | 5_2_38DCEAF9 | |
| Source: | Code function: | 5_2_38DCBA97 | |
| Source: | Code function: | 5_2_38DC5AB8 | |
| Source: | Code function: | 5_2_38DC5AA8 | |
| Source: | Code function: | 5_2_38DC3268 | |
| Source: | Code function: | 5_2_38DC5208 | |
| Source: | Code function: | 5_2_38DC5207 | |
| Source: | Code function: | 5_2_38DC43C8 | |
| Source: | Code function: | 5_2_38DC13F0 | |
| Source: | Code function: | 5_2_38DC43B9 | |
| Source: | Code function: | 5_2_38DCA35F | |
| Source: | Code function: | 5_2_38DC6358 | |
| Source: | Code function: | 5_2_38DC7B4F | |
| Source: | Code function: | 5_2_38DC3B18 | |
| Source: | Code function: | 5_2_38DC3B08 | |
| Source: | Code function: | 5_2_38DCEB08 | |
| Source: | Code function: | 5_2_38DC74C8 | |
| Source: | Code function: | 5_2_38DC74B8 | |
| Source: | Code function: | 5_2_38DC1CB0 | |
| Source: | Code function: | 5_2_38DC1CA0 | |
| Source: | Code function: | 5_2_38DC6C18 | |
| Source: | Code function: | 5_2_38DC6C09 | |
| Source: | Code function: | 5_2_38DC1400 | |
| Source: | Code function: | 5_2_38DC4DB0 | |
| Source: | Code function: | 5_2_38DC4DB2 | |
| Source: | Code function: | 5_2_38DC2550 | |
| Source: | Code function: | 5_2_38DC2560 | |
| Source: | Code function: | 5_2_38DC9D0B | |
| Source: | Code function: | 5_2_38DC36C0 | |
| Source: | Code function: | 5_2_38DC96C3 | |
| Source: | Code function: | 5_2_38DC36B0 | |
| Source: | Code function: | 5_2_38DC5650 | |
| Source: | Code function: | 5_2_38DC8640 | |
| Source: | Code function: | 5_2_38DC5660 | |
| Source: | Code function: | 5_2_38DC2E10 | |
| Source: | Code function: | 5_2_38DC67C0 | |
| Source: | Code function: | 5_2_38DCAFF8 | |
| Source: | Code function: | 5_2_38DCAFF7 | |
| Source: | Code function: | 5_2_38DCAFE8 | |
| Source: | Code function: | 5_2_38DC67B0 | |
| Source: | Code function: | 5_2_38DC0FA8 | |
| Source: | Code function: | 5_2_38DC3F70 | |
| Source: | Code function: | 5_2_38DC3F60 | |
| Source: | Code function: | 5_2_38DC5F10 | |
| Source: | Code function: | 5_2_392CE5C8 | |
| Source: | Code function: | 5_2_392CD448 | |
| Source: | Code function: | 5_2_392C73E0 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004032A0 | |
| Source: | Code function: | 5_2_004032A0 | |
| Source: | Code function: | 0_2_004045B4 | |
| Source: | Code function: | 0_2_00402095 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Code function: | 0_2_10002E0E | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405846 | |
| Source: | Code function: | 0_2_004027FB | |
| Source: | Code function: | 0_2_00406398 | |
| Source: | Code function: | 5_2_00405846 | |
| Source: | Code function: | 5_2_004027FB | |
| Source: | Code function: | 5_2_00406398 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-3943 | ||
| Source: | API call chain: | graph_0-3763 | ||
| Source: | Code function: | 0_2_10001B18 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406077 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 1 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Email Collection | 1 Web Service | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 31 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 1 Data from Local System | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | 1 Clipboard Data | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | 215 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 3 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 55% | ReversingLabs | Win32.Trojan.Generic | ||
| 65% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 142.250.185.142 | true | false | high | |
| drive.usercontent.google.com | 216.58.206.65 | true | false | high | |
| reallyfreegeoip.org | 104.21.32.1 | true | false | high | |
| api.telegram.org | 149.154.167.220 | true | false | high | |
| checkip.dyndns.com | 132.226.247.73 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
| 142.250.185.142 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
| 104.21.32.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 216.58.206.65 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 132.226.247.73 | checkip.dyndns.com | United States | 16989 | UTMEMUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1588928 |
| Start date and time: | 2025-01-11 07:17:38 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 35s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 14lVOjBoI2.exerenamed because original name is a hash value |
| Original Sample Name: | ad3b51ce98d8e69775168649d8b4ffbee80c182b3fdb6cfa7f964548c70e9e75.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/8@5/5 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 172.202.163.200
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 01:20:24 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 149.154.167.220 | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse | |||
| 104.21.32.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | CMSBrute | Browse |
| ||
| 132.226.247.73 | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| reallyfreegeoip.org | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| checkip.dyndns.com | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| api.telegram.org | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| UTMEMUS | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Azorult | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Nitol, Xmrig | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsr675C.tmp\System.dll | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Unlatticed\Backlit.For146
Download File
| Process: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 283232 |
| Entropy (8bit): | 7.730017738922209 |
| Encrypted: | false |
| SSDEEP: | 6144:DEUchWvPNFecwIuViaNU/C96KyyNWlGR5k0j9pr1+27Qe:A+V9wFi1/evN8mkY95s+d |
| MD5: | C67B0E2D4F1C2A939FEC3381DFD628FA |
| SHA1: | 11C7759BA402EFA25458EA873297BD5082F92D50 |
| SHA-256: | 2351DC0F4567D15F232305787C947958A3F9CF37DA33AF328154A52AE0685661 |
| SHA-512: | FACD9C26F0368D296C808337EA96C475A7E3090BDE12E05A3B3F1A02C895416FE69D030E5966012879D1996CAFA4CA2F248B769C1155D4A07D18B39F63550696 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Unlatticed\Handiest.Pla
Download File
| Process: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 108946 |
| Entropy (8bit): | 4.606837605675962 |
| Encrypted: | false |
| SSDEEP: | 1536:m2spe3sJV6pGqNPJ1yjuFaWo2SD3ISEMvV5CKk2nYBPbns2WK:VswcypjJ1yyar2A3ISvLCeYlTWK |
| MD5: | 5109F4D21F8B3396D0D55CFDD2B86A47 |
| SHA1: | 554DA61E02250B5D737A5BFC4BE0BA882429E08C |
| SHA-256: | 71ADDB58748EA63FE76E549D111ED2B67819184F6D18A0FBF68D070113409143 |
| SHA-512: | 3FCD5627A14414C6251E49E61419A62D0CB9E581C7E9514802DA666295E6798EFA5DBD1E270060A74778CC3FB64048536285451405D3525876F2C97AF90F55FA |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Unlatticed\Riprap43.gaw
Download File
| Process: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56641 |
| Entropy (8bit): | 1.2318917163845036 |
| Encrypted: | false |
| SSDEEP: | 384:vrBeaW6xu5Pd9GW0Zq+/HXF1qcGNMUd8phxiFQHOV7hpvZlq:t9+Pdop/306xixrlq |
| MD5: | 39C9A5F767D8C170B5CE38EA8D5734D4 |
| SHA1: | 4B4CA81EB3D093645B504004F62A269D4EACDECC |
| SHA-256: | 87A7017021050071DBE5726BF9AC505763CD923E2BDE93336CA0905802CD8D49 |
| SHA-512: | AE2D66B801251046FA4D3093391B916955B43BE75A954DD398583B1B8881A9F109F51F81D6E4FE759F83AC7B921FA89B02185013AFDE16D3C8EAB422BE89B4FF |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Unlatticed\forskansningens.txt
Download File
| Process: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 345 |
| Entropy (8bit): | 4.241929841155785 |
| Encrypted: | false |
| SSDEEP: | 6:dvkdMOL4xnuXGNQWjMIDw1luhPB46xAJX7sBJOdkmLA8gMfArpIXbgOwQWiQJEEC:dufExIoDe1lYnGJLsBQdtL6rpIrWQkJA |
| MD5: | AE69FE0F4D1E1115BC470031E661785C |
| SHA1: | 8D3799826FE457C61C1E8EE5E3071683A8125BC5 |
| SHA-256: | 6B18768503395C809263568D3A8858810404C2B7D49DC7CB6CE5F717F5D6C7DE |
| SHA-512: | 969C0DB048EAC4A9B447A0C0C463A7983F1B4091B6206E274B9D249F8311439B6C33F5AA1EDF9CD1AA27502DA49378D3E1B45F16909C55DF830E51684E9648BE |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Unlatticed\fyldebtten.soi
Download File
| Process: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 210366 |
| Entropy (8bit): | 1.240975322465592 |
| Encrypted: | false |
| SSDEEP: | 768:vBTwJOLxCIF0V6iLboHog6BQlsMqlN1R0pmGy30wbfq6+9GmlsNh34k0uJ/QohER:cJigyyDJnLH7zA |
| MD5: | AEF78D8D561E8802286A78AAC6C73ED6 |
| SHA1: | DDF5DA649482D0A553802827BB9F0EF64A7069E1 |
| SHA-256: | 45F24543C01C9A11CC2246A9B27569AF433EEF61C877A4E191B683315D3566BE |
| SHA-512: | 93D43C0CECADF8E1F507F8E58D2B4D92995D8F7ECF213A23559938B380033A6D0D80B0816A8D6603864F821F4FEDC988E0F79BE14C6892089178970E08DC4199 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\rapiditetens\fremtving\Unlatticed\wildwestfilm.sto
Download File
| Process: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 363811 |
| Entropy (8bit): | 1.2512349423386382 |
| Encrypted: | false |
| SSDEEP: | 768:y2f405GRYtnSLOBbyCociR2TVuEpHsVURGxwGmXjyMB+CtKDOgt9rlHF1QOs+9m5:pIuagbnK7CwVwFpYogwhUsvCq |
| MD5: | BFEA15C03AB295424981A73637A19491 |
| SHA1: | A5ADABDDC373D6B3004F96946D84B651E42D9F5C |
| SHA-256: | 83E9CE74259889DCABD39D41131F286882B224698DCDEB8D0B4074069AAA687B |
| SHA-512: | CB5969BFFAED8AF1791938E924E0CC9F876E45165F4E7EA5E9249131FACA831C0600F14BD68EF041D18C81A3FBE087970043D1B3B8A6786C1E5E5049834D4D0D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.655335921632966 |
| Encrypted: | false |
| SSDEEP: | 192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9 |
| MD5: | EE260C45E97B62A5E42F17460D406068 |
| SHA1: | DF35F6300A03C4D3D3BD69752574426296B78695 |
| SHA-256: | E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27 |
| SHA-512: | A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1174 |
| Entropy (8bit): | 3.253276889214852 |
| Encrypted: | false |
| SSDEEP: | 12:8wl0IsXyEKW2je/tz0/CSL6/cBnwgXl341DEDeG41DEDWqMsQ1olfW+kjcmAazpV:8HlKPjeWLrFPjPKq4izZMzrJpqy |
| MD5: | 993E6DE930B121836F36DB5DC496A712 |
| SHA1: | C607F3DE353871D3E79B7EEDB0840A3FFC7C4827 |
| SHA-256: | 4CE587CC1873D0A0833A1FB43924301059AE84347023F811BA237E1E7E45EC65 |
| SHA-512: | FD52837A4BA26BA175B6FC005CC5D4F48BA8DB53A6BDE685D56EFE24B313A4D6837CBC39FB77A4767EE0B7039148DFF0E988189CA88BE6A58556C547C2F2A8D7 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.963561852977546 |
| TrID: |
|
| File name: | 14lVOjBoI2.exe |
| File size: | 472'339 bytes |
| MD5: | ebf8a74191898b4a5cd58ffe2035c1ee |
| SHA1: | d73223724a73b0f7c3d0889247c50f97818ca4c0 |
| SHA256: | ad3b51ce98d8e69775168649d8b4ffbee80c182b3fdb6cfa7f964548c70e9e75 |
| SHA512: | 23e3d0b6334cd277ba3d961d65e86e8af162730189328698e34a59c4ea627ffe20ebfc7b051d1a210892acc0390faca776e9d0d7243371e0a06047aafb39f9ab |
| SSDEEP: | 12288:I5AB4N/30vZBGn++dR3vkbuemnSku7Jj1JK8s5FEeKA:ZB4N/+BGnn35xSku7Jj1Jice9 |
| TLSH: | 71A423046214F0CBE0B25B364C6727AA6BBE731152B49F1787A4194A3C31BE5CD7E9E8 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L......V.................d......... |
 | |
| Icon Hash: | 3d2e0f95332b3399 |
| Entrypoint: | 0x4032a0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x567F847F [Sun Dec 27 06:26:07 2015 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | d4b94e8ee3f620a89d114b9da4b31873 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebp |
| push esi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+0Ch], ebp |
| push 00008001h |
| mov dword ptr [esp+0Ch], 0040A300h |
| mov dword ptr [esp+18h], ebp |
| call dword ptr [004080B0h] |
| call dword ptr [004080ACh] |
| cmp ax, 00000006h |
| je 00007F08D0DBB0E3h |
| push ebp |
| call 00007F08D0DBE226h |
| cmp eax, ebp |
| je 00007F08D0DBB0D9h |
| push 00000C00h |
| call eax |
| push ebx |
| push edi |
| push 0040A2F4h |
| call 00007F08D0DBE1A3h |
| push 0040A2ECh |
| call 00007F08D0DBE199h |
| push 0040A2E0h |
| call 00007F08D0DBE18Fh |
| push 00000009h |
| call 00007F08D0DBE1F4h |
| push 00000007h |
| call 00007F08D0DBE1EDh |
| mov dword ptr [00434F04h], eax |
| call dword ptr [00408044h] |
| push ebp |
| call dword ptr [004082A8h] |
| mov dword ptr [00434FB8h], eax |
| push ebp |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebp |
| push 0042B228h |
| call dword ptr [0040818Ch] |
| push 0040A2C8h |
| push 00433F00h |
| call 00007F08D0DBDDDAh |
| call dword ptr [004080A8h] |
| mov ebx, 0043F000h |
| push eax |
| push ebx |
| call 00007F08D0DBDDC8h |
| push ebp |
| call dword ptr [00408178h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x85c8 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5d000 | 0x11e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x637c | 0x6400 | 83ff228d6dae8dd738eb2f78afbc793f | False | 0.672421875 | data | 6.491609540807675 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x147c | 0x1600 | d9f9b0b330e238260616b62a7a3cac09 | False | 0.42933238636363635 | data | 4.973928345594701 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x2aff8 | 0x600 | 3f2b05c8fbb8b2e4c9c89e93d30e7252 | False | 0.53125 | data | 4.133631086111171 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x35000 | 0x28000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x5d000 | 0x11e0 | 0x1200 | 20639f4e7c421f5379e2fb9ea4a1530d | False | 0.3684895833333333 | data | 4.485045860065118 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x5d268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x5d5d0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.42473118279569894 |
| RT_DIALOG | 0x5d8b8 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0x5da00 | 0x13c | data | English | United States | 0.5506329113924051 |
| RT_DIALOG | 0x5db40 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x5dc40 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x5dd60 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x5de28 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x5de88 | 0x14 | data | English | United States | 1.2 |
| RT_MANIFEST | 0x5dea0 | 0x33f | XML 1.0 document, ASCII text, with very long lines (831), with no line terminators | English | United States | 0.5547533092659447 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW |
| ADVAPI32.dll | RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:20:01.715417+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.9 | 49709 | 142.250.185.142 | 443 | TCP |
| 2025-01-11T07:20:15.627680+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.9 | 49711 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:25.191376+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.9 | 49711 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:27.737418+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.9 | 49711 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:28.407804+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.9 | 49713 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:28.673274+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.9 | 49713 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:31.424576+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.9 | 49714 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:32.009754+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.9 | 49715 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:32.352743+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.9 | 49715 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:33.112153+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.9 | 49716 | 132.226.247.73 | 80 | TCP |
| 2025-01-11T07:20:33.688144+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.9 | 49717 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:33.907815+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.9 | 49717 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:36.194186+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.9 | 49719 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:36.397639+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.9 | 49719 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:37.707556+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.9 | 49721 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:37.992261+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.9 | 49721 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:39.294053+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.9 | 49723 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:39.600046+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.9 | 49723 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:40.942200+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.9 | 49725 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:41.250577+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.9 | 49725 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:45.052385+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.9 | 49727 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:20:45.361029+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.9 | 49727 | 149.154.167.220 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 07:20:00.644867897 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:00.644916058 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:00.645010948 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:00.664413929 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:00.664437056 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.321892023 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.322035074 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:01.322660923 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.322725058 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:01.386884928 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:01.386909008 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.387278080 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.387341022 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:01.391113997 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:01.431333065 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.715389967 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.715508938 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:01.715658903 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:01.715708017 CET | 443 | 49709 | 142.250.185.142 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.715760946 CET | 49709 | 443 | 192.168.2.9 | 142.250.185.142 |
| Jan 11, 2025 07:20:01.740014076 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:01.740055084 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.740115881 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:01.740406036 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:01.740420103 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:02.374368906 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:02.374481916 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:02.385899067 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:02.385927916 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:02.386238098 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:02.386339903 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:02.387334108 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:02.431325912 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.607770920 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.607928038 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.613617897 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.613706112 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.626230955 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.626329899 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.626343012 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.626539946 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.632528067 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.632603884 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.694413900 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.694500923 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.694585085 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.694586039 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.694602013 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.694649935 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.697164059 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.697227955 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.697236061 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.697278976 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.703329086 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.703542948 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.703551054 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.703598976 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.709570885 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.709630013 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.709711075 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.709759951 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.715919971 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.716010094 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.716017962 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.716064930 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.722275019 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.722362995 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.722372055 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.722414970 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.728450060 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.728522062 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.728529930 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.728569984 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.734776020 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.734843969 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.734852076 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.735013008 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.740592003 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.740660906 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.740670919 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.740711927 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.746479034 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.746560097 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.746568918 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.746607065 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.752114058 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.752227068 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.752235889 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.752289057 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.758049965 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.758099079 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.761949062 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.762067080 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.763751984 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.763803005 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.781028032 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.781084061 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.781090021 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.781100988 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.781121969 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.781152964 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.781162024 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.781202078 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.781333923 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.781383038 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.783286095 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.783339024 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.783919096 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.784068108 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.789113998 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.789154053 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.789180994 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.789191961 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.789205074 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.789371967 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.794557095 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.794620991 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.794630051 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.794675112 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.800002098 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.800055027 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.800111055 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.800153017 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.805072069 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.805121899 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.805129051 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.805170059 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.809919119 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.809971094 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.810090065 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.810136080 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.814766884 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.814810038 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.814815998 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.815337896 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.819322109 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.819379091 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.819386959 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.819432974 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.823985100 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.824033022 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.824040890 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.824119091 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.828610897 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.828661919 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.828676939 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.828722000 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.833250046 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.833311081 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.833326101 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.833360910 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.837876081 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.837984085 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.837995052 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.838041067 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.842390060 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.842437983 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.842446089 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.842556000 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.846592903 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.846641064 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.846647024 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.846690893 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.846695900 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.846740007 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.846745014 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.846776009 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:04.846785069 CET | 443 | 49710 | 216.58.206.65 | 192.168.2.9 |
| Jan 11, 2025 07:20:04.846797943 CET | 49710 | 443 | 192.168.2.9 | 216.58.206.65 |
| Jan 11, 2025 07:20:05.215642929 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:05.220483065 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:05.220668077 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:05.220906019 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:05.226366043 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:13.844959021 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:13.853431940 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:13.858185053 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:15.587677002 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:15.627680063 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:15.867816925 CET | 49712 | 443 | 192.168.2.9 | 104.21.32.1 |
| Jan 11, 2025 07:20:15.867852926 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:15.867933989 CET | 49712 | 443 | 192.168.2.9 | 104.21.32.1 |
| Jan 11, 2025 07:20:15.870136023 CET | 49712 | 443 | 192.168.2.9 | 104.21.32.1 |
| Jan 11, 2025 07:20:15.870145082 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:16.338881969 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:16.339071989 CET | 49712 | 443 | 192.168.2.9 | 104.21.32.1 |
| Jan 11, 2025 07:20:16.354717970 CET | 49712 | 443 | 192.168.2.9 | 104.21.32.1 |
| Jan 11, 2025 07:20:16.354739904 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:16.355103970 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:16.361531973 CET | 49712 | 443 | 192.168.2.9 | 104.21.32.1 |
| Jan 11, 2025 07:20:16.403327942 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:16.485600948 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:16.485662937 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:16.485873938 CET | 49712 | 443 | 192.168.2.9 | 104.21.32.1 |
| Jan 11, 2025 07:20:16.494637012 CET | 49712 | 443 | 192.168.2.9 | 104.21.32.1 |
| Jan 11, 2025 07:20:21.929239988 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:21.934555054 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:25.141398907 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:25.191375971 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:25.479232073 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:25.484153032 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:27.692233086 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:27.707034111 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:27.707091093 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:27.707187891 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:27.707942009 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:27.707961082 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:27.737417936 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:28.346062899 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.346221924 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:28.349812984 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:28.349832058 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.350255013 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.351695061 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:28.395332098 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.407731056 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:28.407741070 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.673314095 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.673391104 CET | 443 | 49713 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.673430920 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:28.682600975 CET | 49713 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:28.693171024 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:28.694212914 CET | 49714 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:28.698251963 CET | 80 | 49711 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.698340893 CET | 49711 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:28.698987007 CET | 80 | 49714 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:28.699173927 CET | 49714 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:28.699321032 CET | 49714 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:28.704082966 CET | 80 | 49714 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:31.370702028 CET | 80 | 49714 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:31.386373997 CET | 49715 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:31.386440039 CET | 443 | 49715 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:31.386534929 CET | 49715 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:31.386796951 CET | 49715 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:31.386816978 CET | 443 | 49715 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:31.424576044 CET | 49714 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:32.007700920 CET | 443 | 49715 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:32.009510994 CET | 49715 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:32.009543896 CET | 443 | 49715 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:32.009614944 CET | 49715 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:32.009625912 CET | 443 | 49715 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:32.352765083 CET | 443 | 49715 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:32.352852106 CET | 443 | 49715 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:32.352933884 CET | 49715 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:32.353368998 CET | 49715 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:32.356585979 CET | 49714 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:32.357898951 CET | 49716 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:32.361607075 CET | 80 | 49714 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:32.361685991 CET | 49714 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:32.362776041 CET | 80 | 49716 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:32.362852097 CET | 49716 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:32.362955093 CET | 49716 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:32.367775917 CET | 80 | 49716 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.056241989 CET | 80 | 49716 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.057487965 CET | 49717 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:33.057537079 CET | 443 | 49717 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.057607889 CET | 49717 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:33.057874918 CET | 49717 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:33.057888031 CET | 443 | 49717 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.112153053 CET | 49716 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:33.685622931 CET | 443 | 49717 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.687922955 CET | 49717 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:33.687952995 CET | 443 | 49717 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.688028097 CET | 49717 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:33.688035965 CET | 443 | 49717 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.907857895 CET | 443 | 49717 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.907938957 CET | 443 | 49717 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.907994032 CET | 49717 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:33.908468008 CET | 49717 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:33.912863016 CET | 49718 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:33.917700052 CET | 80 | 49718 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:33.917819023 CET | 49718 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:33.917927027 CET | 49718 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:33.922905922 CET | 80 | 49718 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:35.587040901 CET | 80 | 49718 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:35.588376999 CET | 49719 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:35.588423014 CET | 443 | 49719 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:35.588511944 CET | 49719 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:35.588803053 CET | 49719 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:35.588814020 CET | 443 | 49719 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:35.627773046 CET | 49718 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:36.192302942 CET | 443 | 49719 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:36.194046974 CET | 49719 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:36.194078922 CET | 443 | 49719 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:36.194137096 CET | 49719 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:36.194142103 CET | 443 | 49719 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:36.397563934 CET | 443 | 49719 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:36.397645950 CET | 443 | 49719 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:36.397716045 CET | 49719 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:36.398158073 CET | 49719 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:36.401041031 CET | 49718 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:36.402170897 CET | 49720 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:36.406038046 CET | 80 | 49718 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:36.406116962 CET | 49718 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:36.407046080 CET | 80 | 49720 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:36.407200098 CET | 49720 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:36.407249928 CET | 49720 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:36.412075996 CET | 80 | 49720 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.080285072 CET | 80 | 49720 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.081442118 CET | 49721 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:37.081475019 CET | 443 | 49721 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.081537008 CET | 49721 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:37.081788063 CET | 49721 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:37.081804037 CET | 443 | 49721 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.127763033 CET | 49720 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:37.705590010 CET | 443 | 49721 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.707197905 CET | 49721 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:37.707222939 CET | 443 | 49721 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.707279921 CET | 49721 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:37.707288027 CET | 443 | 49721 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.992424965 CET | 443 | 49721 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.992631912 CET | 443 | 49721 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:37.992702961 CET | 49721 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:37.992979050 CET | 49721 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:37.996040106 CET | 49720 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:37.996603966 CET | 49722 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:38.001643896 CET | 80 | 49720 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:38.001692057 CET | 80 | 49722 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:38.001710892 CET | 49720 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:38.001766920 CET | 49722 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:38.001841068 CET | 49722 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:38.006678104 CET | 80 | 49722 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:38.674196959 CET | 80 | 49722 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:38.675430059 CET | 49723 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:38.675489902 CET | 443 | 49723 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:38.675558090 CET | 49723 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:38.675792933 CET | 49723 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:38.675815105 CET | 443 | 49723 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:38.721518993 CET | 49722 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:39.292253971 CET | 443 | 49723 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:39.293708086 CET | 49723 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:39.293749094 CET | 443 | 49723 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:39.293808937 CET | 49723 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:39.293818951 CET | 443 | 49723 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:39.599975109 CET | 443 | 49723 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:39.600044966 CET | 443 | 49723 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:39.600110054 CET | 49723 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:39.600521088 CET | 49723 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:39.603507996 CET | 49722 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:39.604110003 CET | 49724 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:39.608519077 CET | 80 | 49722 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:39.608588934 CET | 49722 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:39.608939886 CET | 80 | 49724 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:39.608998060 CET | 49724 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:39.609081030 CET | 49724 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:39.613905907 CET | 80 | 49724 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:40.295941114 CET | 80 | 49724 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:40.297725916 CET | 49725 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:40.297784090 CET | 443 | 49725 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:40.297940969 CET | 49725 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:40.298413038 CET | 49725 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:40.298427105 CET | 443 | 49725 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:40.346481085 CET | 49724 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:40.940259933 CET | 443 | 49725 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:40.941936016 CET | 49725 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:40.941958904 CET | 443 | 49725 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:40.941998005 CET | 49725 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:40.942006111 CET | 443 | 49725 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:41.250464916 CET | 443 | 49725 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:41.250552893 CET | 443 | 49725 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:41.250713110 CET | 49725 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:41.251342058 CET | 49725 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:41.254499912 CET | 49724 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:41.255822897 CET | 49726 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:41.259442091 CET | 80 | 49724 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:41.259505033 CET | 49724 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:41.260596991 CET | 80 | 49726 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:41.260663986 CET | 49726 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:41.260770082 CET | 49726 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:41.265547037 CET | 80 | 49726 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:41.940922976 CET | 80 | 49726 | 132.226.247.73 | 192.168.2.9 |
| Jan 11, 2025 07:20:41.987143993 CET | 49726 | 80 | 192.168.2.9 | 132.226.247.73 |
| Jan 11, 2025 07:20:44.422343969 CET | 49727 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:44.422415018 CET | 443 | 49727 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:44.422472954 CET | 49727 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:44.422718048 CET | 49727 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:44.422734022 CET | 443 | 49727 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:45.050636053 CET | 443 | 49727 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:45.052237988 CET | 49727 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:45.052263975 CET | 443 | 49727 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:45.052323103 CET | 49727 | 443 | 192.168.2.9 | 149.154.167.220 |
| Jan 11, 2025 07:20:45.052328110 CET | 443 | 49727 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:45.361064911 CET | 443 | 49727 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:45.361157894 CET | 443 | 49727 | 149.154.167.220 | 192.168.2.9 |
| Jan 11, 2025 07:20:45.361216068 CET | 49727 | 443 | 192.168.2.9 | 149.154.167.220 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 07:20:00.630072117 CET | 59630 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 11, 2025 07:20:00.637142897 CET | 53 | 59630 | 1.1.1.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:01.732357025 CET | 61054 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 11, 2025 07:20:01.739254951 CET | 53 | 61054 | 1.1.1.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:05.204962015 CET | 54452 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 11, 2025 07:20:05.211642981 CET | 53 | 54452 | 1.1.1.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:15.859863043 CET | 51717 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 11, 2025 07:20:15.867202044 CET | 53 | 51717 | 1.1.1.1 | 192.168.2.9 |
| Jan 11, 2025 07:20:27.699206114 CET | 58198 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 11, 2025 07:20:27.705984116 CET | 53 | 58198 | 1.1.1.1 | 192.168.2.9 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 07:20:00.630072117 CET | 192.168.2.9 | 1.1.1.1 | 0xe83d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 07:20:01.732357025 CET | 192.168.2.9 | 1.1.1.1 | 0x662d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 07:20:05.204962015 CET | 192.168.2.9 | 1.1.1.1 | 0xca82 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 07:20:15.859863043 CET | 192.168.2.9 | 1.1.1.1 | 0x10ec | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 07:20:27.699206114 CET | 192.168.2.9 | 1.1.1.1 | 0xd51d | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 07:20:00.637142897 CET | 1.1.1.1 | 192.168.2.9 | 0xe83d | No error (0) | 142.250.185.142 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:01.739254951 CET | 1.1.1.1 | 192.168.2.9 | 0x662d | No error (0) | 216.58.206.65 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:05.211642981 CET | 1.1.1.1 | 192.168.2.9 | 0xca82 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:05.211642981 CET | 1.1.1.1 | 192.168.2.9 | 0xca82 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:05.211642981 CET | 1.1.1.1 | 192.168.2.9 | 0xca82 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:05.211642981 CET | 1.1.1.1 | 192.168.2.9 | 0xca82 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:05.211642981 CET | 1.1.1.1 | 192.168.2.9 | 0xca82 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:05.211642981 CET | 1.1.1.1 | 192.168.2.9 | 0xca82 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:15.867202044 CET | 1.1.1.1 | 192.168.2.9 | 0x10ec | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:15.867202044 CET | 1.1.1.1 | 192.168.2.9 | 0x10ec | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:15.867202044 CET | 1.1.1.1 | 192.168.2.9 | 0x10ec | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:15.867202044 CET | 1.1.1.1 | 192.168.2.9 | 0x10ec | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:15.867202044 CET | 1.1.1.1 | 192.168.2.9 | 0x10ec | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:15.867202044 CET | 1.1.1.1 | 192.168.2.9 | 0x10ec | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:15.867202044 CET | 1.1.1.1 | 192.168.2.9 | 0x10ec | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:20:27.705984116 CET | 1.1.1.1 | 192.168.2.9 | 0xd51d | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.9 | 49711 | 132.226.247.73 | 80 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:20:05.220906019 CET | 151 | OUT | |
| Jan 11, 2025 07:20:13.844959021 CET | 273 | IN | |
| Jan 11, 2025 07:20:13.853431940 CET | 127 | OUT | |
| Jan 11, 2025 07:20:15.587677002 CET | 273 | IN | |
| Jan 11, 2025 07:20:21.929239988 CET | 127 | OUT | |
| Jan 11, 2025 07:20:25.141398907 CET | 697 | IN | |
| Jan 11, 2025 07:20:25.479232073 CET | 127 | OUT | |
| Jan 11, 2025 07:20:27.692233086 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.9 | 49714 | 132.226.247.73 | 80 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:20:28.699321032 CET | 127 | OUT | |
| Jan 11, 2025 07:20:31.370702028 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.9 | 49716 | 132.226.247.73 | 80 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:20:32.362955093 CET | 127 | OUT | |
| Jan 11, 2025 07:20:33.056241989 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.9 | 49718 | 132.226.247.73 | 80 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:20:33.917927027 CET | 151 | OUT | |
| Jan 11, 2025 07:20:35.587040901 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.9 | 49720 | 132.226.247.73 | 80 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:20:36.407249928 CET | 151 | OUT | |
| Jan 11, 2025 07:20:37.080285072 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.9 | 49722 | 132.226.247.73 | 80 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:20:38.001841068 CET | 151 | OUT | |
| Jan 11, 2025 07:20:38.674196959 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.9 | 49724 | 132.226.247.73 | 80 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:20:39.609081030 CET | 151 | OUT | |
| Jan 11, 2025 07:20:40.295941114 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.9 | 49726 | 132.226.247.73 | 80 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:20:41.260770082 CET | 151 | OUT | |
| Jan 11, 2025 07:20:41.940922976 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.9 | 49709 | 142.250.185.142 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:01 UTC | 216 | OUT | |
| 2025-01-11 06:20:01 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.9 | 49710 | 216.58.206.65 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:02 UTC | 258 | OUT | |
| 2025-01-11 06:20:04 UTC | 4945 | IN | |
| 2025-01-11 06:20:04 UTC | 4945 | IN | |
| 2025-01-11 06:20:04 UTC | 4803 | IN | |
| 2025-01-11 06:20:04 UTC | 1328 | IN | |
| 2025-01-11 06:20:04 UTC | 1390 | IN | |
| 2025-01-11 06:20:04 UTC | 1390 | IN | |
| 2025-01-11 06:20:04 UTC | 1390 | IN | |
| 2025-01-11 06:20:04 UTC | 1390 | IN | |
| 2025-01-11 06:20:04 UTC | 1390 | IN | |
| 2025-01-11 06:20:04 UTC | 1390 | IN | |
| 2025-01-11 06:20:04 UTC | 1390 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.9 | 49712 | 104.21.32.1 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:16 UTC | 85 | OUT | |
| 2025-01-11 06:20:16 UTC | 861 | IN | |
| 2025-01-11 06:20:16 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.9 | 49713 | 149.154.167.220 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:28 UTC | 294 | OUT | |
| 2025-01-11 06:20:28 UTC | 1090 | OUT | |
| 2025-01-11 06:20:28 UTC | 388 | IN | |
| 2025-01-11 06:20:28 UTC | 534 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.9 | 49715 | 149.154.167.220 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:32 UTC | 294 | OUT | |
| 2025-01-11 06:20:32 UTC | 1090 | OUT | |
| 2025-01-11 06:20:32 UTC | 388 | IN | |
| 2025-01-11 06:20:32 UTC | 535 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.9 | 49717 | 149.154.167.220 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:33 UTC | 270 | OUT | |
| 2025-01-11 06:20:33 UTC | 1090 | OUT | |
| 2025-01-11 06:20:33 UTC | 388 | IN | |
| 2025-01-11 06:20:33 UTC | 534 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.9 | 49719 | 149.154.167.220 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:36 UTC | 294 | OUT | |
| 2025-01-11 06:20:36 UTC | 1090 | OUT | |
| 2025-01-11 06:20:36 UTC | 388 | IN | |
| 2025-01-11 06:20:36 UTC | 534 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.9 | 49721 | 149.154.167.220 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:37 UTC | 294 | OUT | |
| 2025-01-11 06:20:37 UTC | 1090 | OUT | |
| 2025-01-11 06:20:37 UTC | 388 | IN | |
| 2025-01-11 06:20:37 UTC | 534 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.9 | 49723 | 149.154.167.220 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:39 UTC | 294 | OUT | |
| 2025-01-11 06:20:39 UTC | 1090 | OUT | |
| 2025-01-11 06:20:39 UTC | 388 | IN | |
| 2025-01-11 06:20:39 UTC | 534 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.9 | 49725 | 149.154.167.220 | 443 | 8088 | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:40 UTC | 294 | OUT | |
| 2025-01-11 06:20:40 UTC | 1090 | OUT | |
| 2025-01-11 06:20:41 UTC | 388 | IN | |
| 2025-01-11 06:20:41 UTC | 534 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 10 | 192.168.2.9 | 49727 | 149.154.167.220 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:20:45 UTC | 294 | OUT | |
| 2025-01-11 06:20:45 UTC | 1090 | OUT | |
| 2025-01-11 06:20:45 UTC | 388 | IN | |
| 2025-01-11 06:20:45 UTC | 534 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 01:18:35 |
| Start date: | 11/01/2025 |
| Path: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 472'339 bytes |
| MD5 hash: | EBF8A74191898B4A5CD58FFE2035C1EE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 01:19:48 |
| Start date: | 11/01/2025 |
| Path: | C:\Users\user\Desktop\14lVOjBoI2.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 472'339 bytes |
| MD5 hash: | EBF8A74191898B4A5CD58FFE2035C1EE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 21.2% |
| Dynamic/Decrypted Code Coverage: | 13.9% |
| Signature Coverage: | 20.8% |
| Total number of Nodes: | 1516 |
| Total number of Limit Nodes: | 46 |
Graph
Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406398 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040686A Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407041 Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100015B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 10.3% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 1.7% |
| Total number of Nodes: | 347 |
| Total number of Limit Nodes: | 24 |
Graph
Function 00114328 Relevance: 3.9, Strings: 3, Instructions: 195COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118DA0 Relevance: 2.4, Strings: 1, Instructions: 1138COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D70C1B Relevance: 1.5, Strings: 1, Instructions: 245COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D70C28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392CE5C8 Relevance: .8, Instructions: 764COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCBDF0 Relevance: .8, Instructions: 758COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC8650 Relevance: .7, Instructions: 709COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001127B9 Relevance: .7, Instructions: 697COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115F90 Relevance: .4, Instructions: 443COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7C638 Relevance: .3, Instructions: 321COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D703AF Relevance: .3, Instructions: 288COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC6368 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCA360 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC9D10 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCA9B0 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC96C8 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D70F6F Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCBA97 Relevance: .2, Instructions: 191COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC8640 Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC96C3 Relevance: .2, Instructions: 159COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCA9AF Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC9D0B Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCA35F Relevance: .1, Instructions: 102COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC6358 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C0851 Relevance: 6.1, APIs: 4, Instructions: 142threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C0898 Relevance: 6.1, APIs: 4, Instructions: 138threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C08A8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00110B29 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00110B30 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C0006 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C0040 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C18F0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C0AE9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C0AF0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C1B48 Relevance: 1.5, APIs: 1, Instructions: 49timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392CD228 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392CC410 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392CC4BC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C1B50 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392CE500 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118BF0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001166B8 Relevance: .5, Instructions: 456COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114F00 Relevance: .3, Instructions: 329COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCC175 Relevance: .3, Instructions: 322COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001119B8 Relevance: .3, Instructions: 321COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCC173 Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115460 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116C98 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011AF90 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCF890 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCBA88 Relevance: .2, Instructions: 157COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCD320 Relevance: .2, Instructions: 150COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC7920 Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00113168 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCE5D4 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001192C3 Relevance: .1, Instructions: 125COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00119EB0 Relevance: .1, Instructions: 121COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114620 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCE9F8 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118B4B Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCCD40 Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCF880 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00116F40 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCCD30 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCFDF0 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001118C8 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001152C8 Relevance: .1, Instructions: 74COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD030 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC7922 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00110EC8 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011324D Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001117B8 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FE60 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118729 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B2C2 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCB9C8 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCB9C7 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FDC8 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD02B Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114E5F Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCE5B8 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B2F0 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00114664 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00118D19 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCCC29 Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FC40 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCCC38 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC9568 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCD2A0 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC9588 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FC38 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011B158 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FF80 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00111877 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FE20 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00111888 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001156FF Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FF28 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00119F6D Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC9558 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCCE6D Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0011FF30 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCBD48 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCCD09 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC9434 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00115710 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032A0 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 401stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405846 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DCAFF8 Relevance: 13.0, Strings: 10, Instructions: 461COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7DEE1 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC7B4F Relevance: .6, Instructions: 620COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7B07F Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7B930 Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7BD88 Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7F044 Relevance: .3, Instructions: 274COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7DA89 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7E339 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC1858 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC7070 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC4820 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC29B8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC2108 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC5AB8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC3268 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC5208 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC43C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC3B18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC74C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC1CB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC6C18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC1400 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC4DB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC2560 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC36C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC5660 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC2E10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC67C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC0FA8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC3F70 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38DC5F10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7C1F2 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7B4EC Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7E790 Relevance: .2, Instructions: 239COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38D7EBF4 Relevance: .2, Instructions: 235COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C3D01 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C3D40 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 392C3CE0 Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B6 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040389E Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004045B4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406077 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405683 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|