Edit tour
Windows
Analysis Report
c7WJL1gt32.exe
Overview
General Information
| Sample name: | c7WJL1gt32.exerenamed because original name is a hash value |
| Original sample name: | 08972ea67ce0756e8af06aeea9628d2ec00392351f8aaaf69cde005f79d74051.exe |
| Analysis ID: | 1588956 |
| MD5: | 7549ee46b6e4391bb5d33788fb901e8d |
| SHA1: | d37b7af1fd0bbb25904818f93b4f992af8631fdd |
| SHA256: | 08972ea67ce0756e8af06aeea9628d2ec00392351f8aaaf69cde005f79d74051 |
| Tags: | exeGuLoaderuser-adrian__luca |
| Infos: |  |
 | |
Detection
GuLoader, MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Classification
- System is w10x64
c7WJL1gt32.exe (PID: 7320 cmdline:
"C:\Users\ user\Deskt op\c7WJL1g t32.exe" MD5: 7549EE46B6E4391BB5D33788FB901E8D) "C:\Users\ user\Deskt op\c7WJL1g t32.exe" MD5: 7549EE46B6E4391BB5D33788FB901E8D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"C2 url": "https://api.telegram.org/bot7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc/sendMessage"}{"EXfil Mode": "Telegram", "Telegram Token": "7162915847:AAFcWinWendSJrYL4eRL1FJDDjF3FOU7gZc", "Telegram Chatid": "7382809095"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| Click to see the 2 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:39:55.628697+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49968 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:57.862466+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49983 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:59.799694+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49999 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:05.839276+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50014 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:11.469514+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50016 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:17.817338+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50018 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:28.478131+0100 | 2057744 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50021 | 149.154.167.220 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:39:47.899216+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49921 | 132.226.8.169 | 80 | TCP |
| 2025-01-11T07:39:54.664778+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49921 | 132.226.8.169 | 80 | TCP |
| 2025-01-11T07:39:56.992895+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49977 | 132.226.8.169 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:39:42.346458+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49890 | 216.58.206.46 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:39:55.319636+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.4 | 49968 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:57.585132+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.4 | 49983 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:59.520971+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.4 | 49999 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:05.590667+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.4 | 50014 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:11.213482+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.4 | 50016 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:17.385598+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.4 | 50018 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:27.919829+0100 | 1810008 | 1 | Potentially Bad Traffic | 192.168.2.4 | 50021 | 149.154.167.220 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Code function: | 4_2_37B6D1EC | |
| Source: | Code function: | 4_2_37B6D9D9 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040672B | |
| Source: | Code function: | 0_2_00405AFA | |
| Source: | Code function: | 0_2_00402868 | |
| Source: | Code function: | 4_2_00402868 | |
| Source: | Code function: | 4_2_0040672B | |
| Source: | Code function: | 4_2_00405AFA | |
| Source: | Code function: | 4_2_37B6C638 | |
| Source: | Code function: | 4_2_37B60C28 | |
| Source: | Code function: | 4_2_37B603AF | |
| Source: | Code function: | 4_2_37B6E790 | |
| Source: | Code function: | 4_2_37B60F6F | |
| Source: | Code function: | 4_2_37B6DEE1 | |
| Source: | Code function: | 4_2_37B6BD88 | |
| Source: | Code function: | 4_2_37B6B4D8 | |
| Source: | Code function: | 4_2_37B60C1A | |
| Source: | Code function: | 4_2_37B6EBE8 | |
| Source: | Code function: | 4_2_37B6E339 | |
| Source: | Code function: | 4_2_37B6DA89 | |
| Source: | Code function: | 4_2_37B6C1E0 | |
| Source: | Code function: | 4_2_37B6B930 | |
| Source: | Code function: | 4_2_37B6B07F | |
| Source: | Code function: | 4_2_37B6F044 | |
| Source: | Code function: | 4_2_3831BDF0 | |
| Source: | Code function: | 4_2_38318650 | |
| Source: | Code function: | 4_2_38318650 | |
| Source: | Code function: | 4_2_38314820 | |
| Source: | Code function: | 4_2_38317070 | |
| Source: | Code function: | 4_2_38311858 | |
| Source: | Code function: | 4_2_38312108 | |
| Source: | Code function: | 4_2_383129B8 | |
| Source: | Code function: | 4_2_38315208 | |
| Source: | Code function: | 4_2_38313268 | |
| Source: | Code function: | 4_2_38315AB8 | |
| Source: | Code function: | 4_2_38313B18 | |
| Source: | Code function: | 4_2_38316368 | |
| Source: | Code function: | 4_2_38317B4F | |
| Source: | Code function: | 4_2_383143C8 | |
| Source: | Code function: | 4_2_38316C18 | |
| Source: | Code function: | 4_2_38311400 | |
| Source: | Code function: | 4_2_38311CB0 | |
| Source: | Code function: | 4_2_383174C8 | |
| Source: | Code function: | 4_2_38312560 | |
| Source: | Code function: | 4_2_38314DB0 | |
| Source: | Code function: | 4_2_38312E10 | |
| Source: | Code function: | 4_2_38315660 | |
| Source: | Code function: | 4_2_383136C0 | |
| Source: | Code function: | 4_2_38315F10 | |
| Source: | Code function: | 4_2_38313F70 | |
| Source: | Code function: | 4_2_38310FA8 | |
| Source: | Code function: | 4_2_383167C0 | |
| Source: | Code function: | 4_2_3833E790 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0040558F | |
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Code function: | 4_2_004034A5 | |
| Source: | Code function: | 0_2_00404DCC | |
| Source: | Code function: | 0_2_00406AF2 | |
| Source: | Code function: | 0_2_6CF11B5F | |
| Source: | Code function: | 4_2_00404DCC | |
| Source: | Code function: | 4_2_00406AF2 | |
| Source: | Code function: | 4_2_00154328 | |
| Source: | Code function: | 4_2_00158DF5 | |
| Source: | Code function: | 4_2_00155978 | |
| Source: | Code function: | 4_2_001519C4 | |
| Source: | Code function: | 4_2_37B6C638 | |
| Source: | Code function: | 4_2_37B6CCA0 | |
| Source: | Code function: | 4_2_37B603AF | |
| Source: | Code function: | 4_2_37B63318 | |
| Source: | Code function: | 4_2_37B67848 | |
| Source: | Code function: | 4_2_37B6E790 | |
| Source: | Code function: | 4_2_37B6E79F | |
| Source: | Code function: | 4_2_37B67F60 | |
| Source: | Code function: | 4_2_37B66EA0 | |
| Source: | Code function: | 4_2_37B66E91 | |
| Source: | Code function: | 4_2_37B6DEE1 | |
| Source: | Code function: | 4_2_37B67628 | |
| Source: | Code function: | 4_2_37B6BD88 | |
| Source: | Code function: | 4_2_37B6CC91 | |
| Source: | Code function: | 4_2_37B6B4F2 | |
| Source: | Code function: | 4_2_37B6EBF7 | |
| Source: | Code function: | 4_2_37B6E339 | |
| Source: | Code function: | 4_2_37B6DA89 | |
| Source: | Code function: | 4_2_37B6AAE8 | |
| Source: | Code function: | 4_2_37B6C1F2 | |
| Source: | Code function: | 4_2_37B6C1E0 | |
| Source: | Code function: | 4_2_37B6B930 | |
| Source: | Code function: | 4_2_37B6B94A | |
| Source: | Code function: | 4_2_37B6B07F | |
| Source: | Code function: | 4_2_37B6F044 | |
| Source: | Code function: | 4_2_3831A9B0 | |
| Source: | Code function: | 4_2_3831BA97 | |
| Source: | Code function: | 4_2_3831A360 | |
| Source: | Code function: | 4_2_38319D10 | |
| Source: | Code function: | 4_2_3831BDF0 | |
| Source: | Code function: | 4_2_38318650 | |
| Source: | Code function: | 4_2_383196C8 | |
| Source: | Code function: | 4_2_38314820 | |
| Source: | Code function: | 4_2_38314810 | |
| Source: | Code function: | 4_2_38317070 | |
| Source: | Code function: | 4_2_38317061 | |
| Source: | Code function: | 4_2_38311858 | |
| Source: | Code function: | 4_2_38310040 | |
| Source: | Code function: | 4_2_38311848 | |
| Source: | Code function: | 4_2_383120FC | |
| Source: | Code function: | 4_2_3831F130 | |
| Source: | Code function: | 4_2_3831F120 | |
| Source: | Code function: | 4_2_38312108 | |
| Source: | Code function: | 4_2_383129B8 | |
| Source: | Code function: | 4_2_3831A9A0 | |
| Source: | Code function: | 4_2_383129A8 | |
| Source: | Code function: | 4_2_383151F8 | |
| Source: | Code function: | 4_2_38315208 | |
| Source: | Code function: | 4_2_38313268 | |
| Source: | Code function: | 4_2_38315AB8 | |
| Source: | Code function: | 4_2_38315AA8 | |
| Source: | Code function: | 4_2_38313B18 | |
| Source: | Code function: | 4_2_38313B08 | |
| Source: | Code function: | 4_2_38316368 | |
| Source: | Code function: | 4_2_3831A352 | |
| Source: | Code function: | 4_2_38316358 | |
| Source: | Code function: | 4_2_38317B4F | |
| Source: | Code function: | 4_2_383143B9 | |
| Source: | Code function: | 4_2_383143C8 | |
| Source: | Code function: | 4_2_38316C18 | |
| Source: | Code function: | 4_2_38311400 | |
| Source: | Code function: | 4_2_38316C09 | |
| Source: | Code function: | 4_2_38311CB0 | |
| Source: | Code function: | 4_2_383174B8 | |
| Source: | Code function: | 4_2_38311CA0 | |
| Source: | Code function: | 4_2_383174C8 | |
| Source: | Code function: | 4_2_38319D00 | |
| Source: | Code function: | 4_2_38312560 | |
| Source: | Code function: | 4_2_38312550 | |
| Source: | Code function: | 4_2_38314DB0 | |
| Source: | Code function: | 4_2_38314DA0 | |
| Source: | Code function: | 4_2_38312E10 | |
| Source: | Code function: | 4_2_38315660 | |
| Source: | Code function: | 4_2_38315650 | |
| Source: | Code function: | 4_2_38318640 | |
| Source: | Code function: | 4_2_383136B0 | |
| Source: | Code function: | 4_2_383196B8 | |
| Source: | Code function: | 4_2_383136C0 | |
| Source: | Code function: | 4_2_38315F10 | |
| Source: | Code function: | 4_2_38315F01 | |
| Source: | Code function: | 4_2_38313F70 | |
| Source: | Code function: | 4_2_38313F60 | |
| Source: | Code function: | 4_2_383167B0 | |
| Source: | Code function: | 4_2_38310FA8 | |
| Source: | Code function: | 4_2_38310F98 | |
| Source: | Code function: | 4_2_3831AFF7 | |
| Source: | Code function: | 4_2_3831AFF8 | |
| Source: | Code function: | 4_2_383167C0 | |
| Source: | Code function: | 4_2_3833D6C1 | |
| Source: | Code function: | 4_2_3833E790 | |
| Source: | Code function: | 4_2_38338328 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Code function: | 4_2_004034A5 | |
| Source: | Code function: | 0_2_00404850 | |
| Source: | Code function: | 0_2_00402104 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_6CF11B5F | |
| Source: | Code function: | 4_3_001949CD | |
| Source: | Code function: | 4_2_0015A492 | |
| Source: | Code function: | 4_2_0015A4FD | |
| Source: | Code function: | 4_2_3833C898 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040672B | |
| Source: | Code function: | 0_2_00405AFA | |
| Source: | Code function: | 0_2_00402868 | |
| Source: | Code function: | 4_2_00402868 | |
| Source: | Code function: | 4_2_0040672B | |
| Source: | Code function: | 4_2_00405AFA | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-4556 | ||
| Source: | API call chain: | graph_0-4714 | ||
| Source: | Code function: | 0_2_00406943 | |
| Source: | Code function: | 0_2_6CF11B5F | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_004034A5 | |
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Registry key created or modified: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 1 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Email Collection | 1 Web Service | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 31 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 1 Data from Local System | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 1 System Network Configuration Discovery | Distributed Component Object Model | 1 Clipboard Data | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | 215 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 3 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 78% | Virustotal | Browse | ||
| 74% | ReversingLabs | Win32.Trojan.GuLoader | ||
| 100% | Avira | HEUR/AGEN.1337946 |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 216.58.206.46 | true | false | high | |
| drive.usercontent.google.com | 142.250.185.129 | true | false | high | |
| reallyfreegeoip.org | 104.21.80.1 | true | false | high | |
| api.telegram.org | 149.154.167.220 | true | false | high | |
| checkip.dyndns.com | 132.226.8.169 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 132.226.8.169 | checkip.dyndns.com | United States | 16989 | UTMEMUS | false | |
| 149.154.167.220 | api.telegram.org | United Kingdom | 62041 | TELEGRAMRU | false | |
| 142.250.185.129 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 104.21.80.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 216.58.206.46 | drive.google.com | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1588956 |
| Start date and time: | 2025-01-11 07:37:25 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 20s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | c7WJL1gt32.exerenamed because original name is a hash value |
| Original Sample Name: | 08972ea67ce0756e8af06aeea9628d2ec00392351f8aaaf69cde005f79d74051.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/8@5/5 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 01:39:53 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 132.226.8.169 | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| 149.154.167.220 | Get hash | malicious | MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| reallyfreegeoip.org | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| api.telegram.org | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| checkip.dyndns.com | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Azorult | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| UTMEMUS | Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | DarkTortilla, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | MassLogger RAT | Browse |
| |
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nse90B2.tmp\System.dll | Get hash | malicious | MassLogger RAT | Browse | ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| Process: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 484658 |
| Entropy (8bit): | 7.809711763657168 |
| Encrypted: | false |
| SSDEEP: | 12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd |
| MD5: | 5C727AE28F0DECF497FBB092BAE01B4E |
| SHA1: | AADE364AE8C2C91C6F59F85711B53078FB0763B7 |
| SHA-256: | 77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80 |
| SHA-512: | 5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82187 |
| Entropy (8bit): | 4.587500544284946 |
| Encrypted: | false |
| SSDEEP: | 768:lTZf23K1a7wxwgK5hHPeBSZdU3O04zV4JiUFThTU1v38rrjDCLaJ6mKK7ckXLhAg:lT12yoASE8CJtVTK3UTxs8Sg |
| MD5: | AD2D7A674C4C9CB91F89D8E03FE5C993 |
| SHA1: | 17C8A5862DBABA28424F66FA18AB612CA645AA76 |
| SHA-256: | 6CD343DF53989BF2D8F1D82722032DB666D44D270EFCAED7129090FB312A45E6 |
| SHA-512: | 9F3B3B979F6FA955BF99D3266D94FFFAD5BC25FB9B924A1C8607E86F0D8F9DF91445F84F1317051DC19FF6B5F83A32A50D25D4A1646CE1F4565736DCE9A5193B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 112291 |
| Entropy (8bit): | 1.249420131631438 |
| Encrypted: | false |
| SSDEEP: | 768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD |
| MD5: | 4D1D72CFC5940B09DFBD7B65916F532E |
| SHA1: | 30A45798B534842002B103A36A3B907063F8A96C |
| SHA-256: | 479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496 |
| SHA-512: | 048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 362089 |
| Entropy (8bit): | 1.23992084267325 |
| Encrypted: | false |
| SSDEEP: | 768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB |
| MD5: | A4340182CDDD2EC1F1480360218343F9 |
| SHA1: | 50EF929FEA713AA6FCC05E8B75F497B7946B285B |
| SHA-256: | B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3 |
| SHA-512: | 021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 139354 |
| Entropy (8bit): | 1.2473328695625903 |
| Encrypted: | false |
| SSDEEP: | 768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp |
| MD5: | B0FB6B583D6902DE58E1202D12BA4832 |
| SHA1: | 7F585B5C3A4581CE76E373C78A6513F157B20480 |
| SHA-256: | E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661 |
| SHA-512: | E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 276296 |
| Entropy (8bit): | 7.772463859530026 |
| Encrypted: | false |
| SSDEEP: | 6144:968ENVGVOEVYMieviL5xEgopRlm16xQFtP3sJM5zQ9N:9/ENsVOESDec5GRlosJczQz |
| MD5: | F6AD06A95089556FEC6BC8D248E01EF7 |
| SHA1: | 9C3EC9838644EA362990222672BFEB857D02E3E3 |
| SHA-256: | E7D5F3AD1B0D29AF8DCC29144F423A4328CC588F742A02630C90D7DEEF1C4BE3 |
| SHA-512: | 54FF1678EC6CAD600D727CB1DDB9DAA462A23A5791F112588C769104341123FFB4C45F356A3395D2012B0A16B1C67CBCF4FD1F34126346888C578EA396F9D316 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 5.719859767584478 |
| Encrypted: | false |
| SSDEEP: | 192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6 |
| MD5: | 0D7AD4F45DC6F5AA87F606D0331C6901 |
| SHA1: | 48DF0911F0484CBE2A8CDD5362140B63C41EE457 |
| SHA-256: | 3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA |
| SHA-512: | C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1483092 |
| Entropy (8bit): | 5.46659686299126 |
| Encrypted: | false |
| SSDEEP: | 24576:9rDlMosJcbo3xX3y4bz2lWwWo6rSTZyQ6:7PoBXbz2luo6rS1yB |
| MD5: | D6102601869F9C2585F563EA56C429BD |
| SHA1: | 3E48554E7B89909E14B7F8147E114C231082A489 |
| SHA-256: | 37205018756248334057C7BA2E2C9152EB21F455680F3341B460C2DB43D5BDB6 |
| SHA-512: | E10BD25EC5FD9BBE00BA0D0E2AB3BC191BDE34E1466610A5F06D9EF50E9E6170F4CAD7EB93EC0DDEE5DE479B18327D502DD188A83FADF49A15749BA009D6B17F |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.959597258531055 |
| TrID: |
|
| File name: | c7WJL1gt32.exe |
| File size: | 1'017'781 bytes |
| MD5: | 7549ee46b6e4391bb5d33788fb901e8d |
| SHA1: | d37b7af1fd0bbb25904818f93b4f992af8631fdd |
| SHA256: | 08972ea67ce0756e8af06aeea9628d2ec00392351f8aaaf69cde005f79d74051 |
| SHA512: | 294de0650592e91a5bbd6d5311898a0a7d6093fc0645f096904abe54e050788e1b5c0448db85a1e6b443b979d600c4912b48fc278d8792f7a5ad7b94d313cae6 |
| SSDEEP: | 24576:9jwKCNW7eeGnMYvkx0qqFu6zd9qPvFwkAMZCnJOaqZKNK:V1Cc7nG5Maq0H+9wkjKoH+K |
| TLSH: | 3325230E72618D03C4718E76AA27955F727DAF6B4D2667C32341386E6E3F38D0C72694 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*..... |
 | |
| Icon Hash: | 46224e4c19391d03 |
| Entrypoint: | 0x4034a5 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 1f23f452093b5c1ff091a2f9fb4fa3e9 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push esi |
| push edi |
| push 00000020h |
| pop edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+14h], ebx |
| mov dword ptr [esp+10h], 0040A230h |
| mov dword ptr [esp+1Ch], ebx |
| call dword ptr [004080ACh] |
| call dword ptr [004080A8h] |
| and eax, BFFFFFFFh |
| cmp ax, 00000006h |
| mov dword ptr [0042A24Ch], eax |
| je 00007FC729450C63h |
| push ebx |
| call 00007FC729453F2Dh |
| cmp eax, ebx |
| je 00007FC729450C59h |
| push 00000C00h |
| call eax |
| mov esi, 004082B0h |
| push esi |
| call 00007FC729453EA7h |
| push esi |
| call dword ptr [00408150h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], 00000000h |
| jne 00007FC729450C3Ch |
| push 0000000Ah |
| call 00007FC729453F00h |
| push 00000008h |
| call 00007FC729453EF9h |
| push 00000006h |
| mov dword ptr [0042A244h], eax |
| call 00007FC729453EEDh |
| cmp eax, ebx |
| je 00007FC729450C61h |
| push 0000001Eh |
| call eax |
| test eax, eax |
| je 00007FC729450C59h |
| or byte ptr [0042A24Fh], 00000040h |
| push ebp |
| call dword ptr [00408044h] |
| push ebx |
| call dword ptr [004082A0h] |
| mov dword ptr [0042A318h], eax |
| push ebx |
| lea eax, dword ptr [esp+34h] |
| push 000002B4h |
| push eax |
| push ebx |
| push 004216E8h |
| call dword ptr [00408188h] |
| push 0040A384h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x55000 | 0x21068 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6409 | 0x6600 | bfe2b726d49cbd922b87bad5eea65e61 | False | 0.6540287990196079 | data | 6.416186322230332 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1396 | 0x1400 | d45dcba8ca646543f7e339e20089687e | False | 0.45234375 | data | 5.154907432640367 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x20358 | 0x600 | 8575fc5e872ca789611c386779287649 | False | 0.5026041666666666 | data | 4.004402321344153 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x2b000 | 0x2a000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x55000 | 0x21068 | 0x21200 | 03ed2ed76ba15352dac9e48819696134 | False | 0.8714696344339623 | data | 7.556190648348207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x554c0 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
| RT_ICON | 0x55828 | 0xc2a3 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9966684729162903 |
| RT_ICON | 0x61ad0 | 0x86e0 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.990210843373494 |
| RT_ICON | 0x6a1b0 | 0x5085 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9867559307233299 |
| RT_ICON | 0x6f238 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4358921161825726 |
| RT_ICON | 0x717e0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.4896810506566604 |
| RT_ICON | 0x72888 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.5367803837953091 |
| RT_ICON | 0x73730 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.6913357400722022 |
| RT_ICON | 0x73fd8 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.38597560975609757 |
| RT_ICON | 0x74640 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.4934971098265896 |
| RT_ICON | 0x74ba8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.651595744680851 |
| RT_ICON | 0x75010 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.46908602150537637 |
| RT_ICON | 0x752f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.5472972972972973 |
| RT_DIALOG | 0x75420 | 0x120 | data | English | United States | 0.53125 |
| RT_DIALOG | 0x75540 | 0x118 | data | English | United States | 0.5678571428571428 |
| RT_DIALOG | 0x75658 | 0x120 | data | English | United States | 0.5104166666666666 |
| RT_DIALOG | 0x75778 | 0xf8 | data | English | United States | 0.6330645161290323 |
| RT_DIALOG | 0x75870 | 0xa0 | data | English | United States | 0.6125 |
| RT_DIALOG | 0x75910 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x75970 | 0xae | data | English | United States | 0.6091954022988506 |
| RT_VERSION | 0x75a20 | 0x308 | data | English | United States | 0.47036082474226804 |
| RT_MANIFEST | 0x75d28 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
| DLL | Import |
|---|---|
| KERNEL32.dll | ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
| USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
| ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T07:39:42.346458+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.4 | 49890 | 216.58.206.46 | 443 | TCP |
| 2025-01-11T07:39:47.899216+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49921 | 132.226.8.169 | 80 | TCP |
| 2025-01-11T07:39:54.664778+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49921 | 132.226.8.169 | 80 | TCP |
| 2025-01-11T07:39:55.319636+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.4 | 49968 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:55.628697+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49968 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:56.992895+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49977 | 132.226.8.169 | 80 | TCP |
| 2025-01-11T07:39:57.585132+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.4 | 49983 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:57.862466+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49983 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:59.520971+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.4 | 49999 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:39:59.799694+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 49999 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:05.590667+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.4 | 50014 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:05.839276+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 50014 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:11.213482+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.4 | 50016 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:11.469514+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 50016 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:17.385598+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.4 | 50018 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:17.817338+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 50018 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:27.919829+0100 | 1810008 | Joe Security ANOMALY Telegram Send File | 1 | 192.168.2.4 | 50021 | 149.154.167.220 | 443 | TCP |
| 2025-01-11T07:40:28.478131+0100 | 2057744 | ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram | 1 | 192.168.2.4 | 50021 | 149.154.167.220 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 07:39:41.296844006 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:41.296930075 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:41.297269106 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:41.310718060 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:41.310750961 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:41.962006092 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:41.962152004 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:41.962769985 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:41.962833881 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:42.039391041 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:42.039417028 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:42.039714098 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:42.039766073 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:42.044193029 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:42.087331057 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:42.346441031 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:42.346512079 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:42.346545935 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:42.346586943 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:42.346734047 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:42.346760035 CET | 443 | 49890 | 216.58.206.46 | 192.168.2.4 |
| Jan 11, 2025 07:39:42.346832037 CET | 49890 | 443 | 192.168.2.4 | 216.58.206.46 |
| Jan 11, 2025 07:39:42.369683027 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:42.369728088 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:42.369791031 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:42.370071888 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:42.370090008 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:43.016896963 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:43.016988993 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:43.021162033 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:43.021173954 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:43.021421909 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:43.021492004 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:43.021840096 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:43.063324928 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.535964966 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.536215067 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.541450977 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.541657925 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.554027081 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.554207087 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.554244995 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.554300070 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.560270071 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.560364962 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.624244928 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.624341965 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.624356985 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.624403000 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.624408960 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.624454021 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.624677896 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.624736071 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.624742031 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.624788046 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.630997896 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.631061077 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.631068945 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.631119967 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.637408972 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.637484074 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.637502909 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.637556076 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.643706083 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.643779039 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.643791914 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.643843889 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.650078058 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.650147915 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.650166035 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.650223970 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.658194065 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.658261061 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.658271074 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.658310890 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.662573099 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.662627935 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.662636042 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.662673950 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.668397903 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.668464899 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.668488026 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.668524981 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.674047947 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.674150944 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.674169064 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.674216986 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.679920912 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.680000067 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.680021048 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.680072069 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.685672045 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.685760975 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.692361116 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.692435980 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.692457914 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.692506075 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.715010881 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.715075016 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.715111971 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.715122938 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.715162992 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.715178967 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.715197086 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.715255976 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.715281010 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.715339899 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.715348005 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.715399981 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.715405941 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.715450048 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.716773987 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.716830969 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.716831923 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.716845036 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.716871023 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.716909885 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.722358942 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.722419024 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.722426891 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.722469091 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.727643013 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.727704048 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.727719069 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.727763891 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.732618093 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.732702971 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.732724905 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.732777119 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.732791901 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.737622976 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.737695932 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.737704992 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.737741947 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.742209911 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.742263079 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.742301941 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.742358923 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.746871948 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.746959925 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.746987104 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.747025967 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.751554966 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.751647949 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.751672029 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.751759052 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.756412983 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.756500959 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.756525993 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.756577969 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.760868073 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.760936975 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.760958910 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.761008024 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.765531063 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.765614033 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.765633106 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.765671968 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.769880056 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.769922018 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.769939899 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.769982100 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.774148941 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.774198055 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.774214983 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.774255037 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.774260998 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.774291992 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:45.774295092 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.774333954 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.774501085 CET | 49896 | 443 | 192.168.2.4 | 142.250.185.129 |
| Jan 11, 2025 07:39:45.774518967 CET | 443 | 49896 | 142.250.185.129 | 192.168.2.4 |
| Jan 11, 2025 07:39:46.716078997 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:46.721026897 CET | 80 | 49921 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:46.721112967 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:46.721379042 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:46.726219893 CET | 80 | 49921 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:47.558394909 CET | 80 | 49921 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:47.566066980 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:47.572715998 CET | 80 | 49921 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:47.848217964 CET | 80 | 49921 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:47.899215937 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:48.121121883 CET | 49932 | 443 | 192.168.2.4 | 104.21.80.1 |
| Jan 11, 2025 07:39:48.121182919 CET | 443 | 49932 | 104.21.80.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.121401072 CET | 49932 | 443 | 192.168.2.4 | 104.21.80.1 |
| Jan 11, 2025 07:39:48.124953032 CET | 49932 | 443 | 192.168.2.4 | 104.21.80.1 |
| Jan 11, 2025 07:39:48.124984980 CET | 443 | 49932 | 104.21.80.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.595041990 CET | 443 | 49932 | 104.21.80.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.595207930 CET | 49932 | 443 | 192.168.2.4 | 104.21.80.1 |
| Jan 11, 2025 07:39:48.599299908 CET | 49932 | 443 | 192.168.2.4 | 104.21.80.1 |
| Jan 11, 2025 07:39:48.599345922 CET | 443 | 49932 | 104.21.80.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.599663019 CET | 443 | 49932 | 104.21.80.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.604374886 CET | 49932 | 443 | 192.168.2.4 | 104.21.80.1 |
| Jan 11, 2025 07:39:48.651330948 CET | 443 | 49932 | 104.21.80.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.719381094 CET | 443 | 49932 | 104.21.80.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.719458103 CET | 443 | 49932 | 104.21.80.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.719588995 CET | 49932 | 443 | 192.168.2.4 | 104.21.80.1 |
| Jan 11, 2025 07:39:48.726103067 CET | 49932 | 443 | 192.168.2.4 | 104.21.80.1 |
| Jan 11, 2025 07:39:54.321516991 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:54.326503992 CET | 80 | 49921 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:54.620425940 CET | 80 | 49921 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:54.636372089 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:54.636405945 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:54.636527061 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:54.636933088 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:54.636945009 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:54.664777994 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:55.274194956 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:55.274346113 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:55.276365995 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:55.276385069 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:55.276696920 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:55.278311968 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:55.319339991 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:55.319510937 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:55.319529057 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:55.628848076 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:55.629036903 CET | 443 | 49968 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:55.629180908 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:55.629821062 CET | 49968 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:56.076823950 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:56.082103968 CET | 80 | 49921 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:56.082416058 CET | 49921 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:56.094296932 CET | 49977 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:56.099339962 CET | 80 | 49977 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:56.102467060 CET | 49977 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:56.103481054 CET | 49977 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:56.108334064 CET | 80 | 49977 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:56.943947077 CET | 80 | 49977 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:56.945290089 CET | 49983 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:56.945331097 CET | 443 | 49983 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:56.945410967 CET | 49983 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:56.946124077 CET | 49983 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:56.946136951 CET | 443 | 49983 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:56.992894888 CET | 49977 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:57.577167034 CET | 443 | 49983 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:57.584703922 CET | 49983 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:57.584738016 CET | 443 | 49983 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:57.584794044 CET | 49983 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:57.584800959 CET | 443 | 49983 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:57.862555027 CET | 443 | 49983 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:57.862670898 CET | 443 | 49983 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:57.862787962 CET | 49983 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:57.863348007 CET | 49983 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:57.867877007 CET | 49991 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:57.873529911 CET | 80 | 49991 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:57.876979113 CET | 49991 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:57.877127886 CET | 49991 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:57.881944895 CET | 80 | 49991 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:58.911942005 CET | 80 | 49991 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:58.913155079 CET | 49999 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:58.913184881 CET | 443 | 49999 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:58.913249969 CET | 49999 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:58.913480043 CET | 49999 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:58.913492918 CET | 443 | 49999 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:58.962600946 CET | 49991 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:59.519047022 CET | 443 | 49999 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:59.520814896 CET | 49999 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:59.520833969 CET | 443 | 49999 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:59.520888090 CET | 49999 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:59.520898104 CET | 443 | 49999 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:59.799776077 CET | 443 | 49999 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:59.799882889 CET | 443 | 49999 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:39:59.799935102 CET | 49999 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:59.800440073 CET | 49999 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:39:59.804054022 CET | 49991 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:59.805299997 CET | 50006 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:59.809012890 CET | 80 | 49991 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:59.809072018 CET | 49991 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:59.810169935 CET | 80 | 50006 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:39:59.810234070 CET | 50006 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:59.810326099 CET | 50006 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:39:59.815072060 CET | 80 | 50006 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:04.982192993 CET | 80 | 50006 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:04.983825922 CET | 50014 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:04.983872890 CET | 443 | 50014 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:04.983948946 CET | 50014 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:04.984261990 CET | 50014 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:04.984272957 CET | 443 | 50014 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:05.024163008 CET | 50006 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:05.588587999 CET | 443 | 50014 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:05.590450048 CET | 50014 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:05.590473890 CET | 443 | 50014 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:05.590528965 CET | 50014 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:05.590536118 CET | 443 | 50014 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:05.839330912 CET | 443 | 50014 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:05.839421034 CET | 443 | 50014 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:05.839485884 CET | 50014 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:05.840008974 CET | 50014 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:05.843521118 CET | 50006 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:05.844739914 CET | 50015 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:05.848587036 CET | 80 | 50006 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:05.848661900 CET | 50006 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:05.849543095 CET | 80 | 50015 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:05.849625111 CET | 50015 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:05.849704027 CET | 50015 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:05.854574919 CET | 80 | 50015 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:10.593808889 CET | 80 | 50015 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:10.596463919 CET | 50016 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:10.596518993 CET | 443 | 50016 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:10.596595049 CET | 50016 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:10.597245932 CET | 50016 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:10.597261906 CET | 443 | 50016 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:10.633572102 CET | 50015 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:11.211114883 CET | 443 | 50016 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:11.213293076 CET | 50016 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:11.213314056 CET | 443 | 50016 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:11.213376045 CET | 50016 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:11.213385105 CET | 443 | 50016 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:11.469649076 CET | 443 | 50016 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:11.469847918 CET | 443 | 50016 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:11.469935894 CET | 50016 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:11.470326900 CET | 50016 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:11.473696947 CET | 50015 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:11.474947929 CET | 50017 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:11.478734016 CET | 80 | 50015 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:11.478807926 CET | 50015 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:11.479878902 CET | 80 | 50017 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:11.479965925 CET | 50017 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:11.480046988 CET | 50017 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:11.484958887 CET | 80 | 50017 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:16.771871090 CET | 80 | 50017 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:16.774588108 CET | 50018 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:16.774648905 CET | 443 | 50018 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:16.774722099 CET | 50018 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:16.775137901 CET | 50018 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:16.775158882 CET | 443 | 50018 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:16.821088076 CET | 50017 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:17.383366108 CET | 443 | 50018 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:17.385323048 CET | 50018 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:17.385361910 CET | 443 | 50018 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:17.385530949 CET | 50018 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:17.385544062 CET | 443 | 50018 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:17.817502975 CET | 443 | 50018 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:17.817724943 CET | 443 | 50018 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:17.817821026 CET | 50018 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:17.818320990 CET | 50018 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:17.822247028 CET | 50017 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:17.822870016 CET | 50019 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:17.827338934 CET | 80 | 50017 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:17.827446938 CET | 50017 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:17.827784061 CET | 80 | 50019 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:17.827876091 CET | 50019 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:17.827970982 CET | 50019 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:17.832878113 CET | 80 | 50019 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:22.958065033 CET | 80 | 50019 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:23.008629084 CET | 50019 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:23.073966980 CET | 50020 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:23.078876972 CET | 80 | 50020 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:23.082088947 CET | 50020 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:23.082222939 CET | 50020 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:23.086999893 CET | 80 | 50020 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:24.370826960 CET | 80 | 50020 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:24.372298002 CET | 50021 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:24.372348070 CET | 443 | 50021 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:24.372358084 CET | 50019 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:24.372410059 CET | 50021 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:24.372735977 CET | 50021 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:24.372747898 CET | 443 | 50021 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:24.377460957 CET | 80 | 50019 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:24.377562046 CET | 50019 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:24.414936066 CET | 50020 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:24.995517015 CET | 443 | 50021 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:25.035506010 CET | 50021 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:27.919445038 CET | 50021 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:27.919471025 CET | 443 | 50021 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:27.919538021 CET | 50021 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:27.919544935 CET | 443 | 50021 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:28.478215933 CET | 443 | 50021 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:28.478329897 CET | 443 | 50021 | 149.154.167.220 | 192.168.2.4 |
| Jan 11, 2025 07:40:28.478399992 CET | 50021 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:28.478838921 CET | 50021 | 443 | 192.168.2.4 | 149.154.167.220 |
| Jan 11, 2025 07:40:28.481694937 CET | 50020 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:28.482701063 CET | 50022 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:28.486807108 CET | 80 | 50020 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:28.486890078 CET | 50020 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:28.487605095 CET | 80 | 50022 | 132.226.8.169 | 192.168.2.4 |
| Jan 11, 2025 07:40:28.487679005 CET | 50022 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:28.487767935 CET | 50022 | 80 | 192.168.2.4 | 132.226.8.169 |
| Jan 11, 2025 07:40:28.492638111 CET | 80 | 50022 | 132.226.8.169 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 11, 2025 07:39:41.169106960 CET | 50141 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 11, 2025 07:39:41.279591084 CET | 53 | 50141 | 1.1.1.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:42.361627102 CET | 52235 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 11, 2025 07:39:42.368859053 CET | 53 | 52235 | 1.1.1.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:46.704070091 CET | 62315 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 11, 2025 07:39:46.711347103 CET | 53 | 62315 | 1.1.1.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:48.110366106 CET | 59165 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 11, 2025 07:39:48.119493008 CET | 53 | 59165 | 1.1.1.1 | 192.168.2.4 |
| Jan 11, 2025 07:39:54.628595114 CET | 59059 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 11, 2025 07:39:54.635695934 CET | 53 | 59059 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 07:39:41.169106960 CET | 192.168.2.4 | 1.1.1.1 | 0x13b9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 07:39:42.361627102 CET | 192.168.2.4 | 1.1.1.1 | 0x8d01 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 07:39:46.704070091 CET | 192.168.2.4 | 1.1.1.1 | 0x28a7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 07:39:48.110366106 CET | 192.168.2.4 | 1.1.1.1 | 0xb401 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 11, 2025 07:39:54.628595114 CET | 192.168.2.4 | 1.1.1.1 | 0x2d80 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 11, 2025 07:39:41.279591084 CET | 1.1.1.1 | 192.168.2.4 | 0x13b9 | No error (0) | 216.58.206.46 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:42.368859053 CET | 1.1.1.1 | 192.168.2.4 | 0x8d01 | No error (0) | 142.250.185.129 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:46.711347103 CET | 1.1.1.1 | 192.168.2.4 | 0x28a7 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:46.711347103 CET | 1.1.1.1 | 192.168.2.4 | 0x28a7 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:46.711347103 CET | 1.1.1.1 | 192.168.2.4 | 0x28a7 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:46.711347103 CET | 1.1.1.1 | 192.168.2.4 | 0x28a7 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:46.711347103 CET | 1.1.1.1 | 192.168.2.4 | 0x28a7 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:46.711347103 CET | 1.1.1.1 | 192.168.2.4 | 0x28a7 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:48.119493008 CET | 1.1.1.1 | 192.168.2.4 | 0xb401 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:48.119493008 CET | 1.1.1.1 | 192.168.2.4 | 0xb401 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:48.119493008 CET | 1.1.1.1 | 192.168.2.4 | 0xb401 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:48.119493008 CET | 1.1.1.1 | 192.168.2.4 | 0xb401 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:48.119493008 CET | 1.1.1.1 | 192.168.2.4 | 0xb401 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:48.119493008 CET | 1.1.1.1 | 192.168.2.4 | 0xb401 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:48.119493008 CET | 1.1.1.1 | 192.168.2.4 | 0xb401 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 11, 2025 07:39:54.635695934 CET | 1.1.1.1 | 192.168.2.4 | 0x2d80 | No error (0) | 149.154.167.220 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49921 | 132.226.8.169 | 80 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:39:46.721379042 CET | 151 | OUT | |
| Jan 11, 2025 07:39:47.558394909 CET | 273 | IN | |
| Jan 11, 2025 07:39:47.566066980 CET | 127 | OUT | |
| Jan 11, 2025 07:39:47.848217964 CET | 273 | IN | |
| Jan 11, 2025 07:39:54.321516991 CET | 127 | OUT | |
| Jan 11, 2025 07:39:54.620425940 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49977 | 132.226.8.169 | 80 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:39:56.103481054 CET | 127 | OUT | |
| Jan 11, 2025 07:39:56.943947077 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49991 | 132.226.8.169 | 80 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:39:57.877127886 CET | 151 | OUT | |
| Jan 11, 2025 07:39:58.911942005 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 50006 | 132.226.8.169 | 80 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:39:59.810326099 CET | 151 | OUT | |
| Jan 11, 2025 07:40:04.982192993 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 50015 | 132.226.8.169 | 80 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:40:05.849704027 CET | 151 | OUT | |
| Jan 11, 2025 07:40:10.593808889 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 50017 | 132.226.8.169 | 80 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:40:11.480046988 CET | 151 | OUT | |
| Jan 11, 2025 07:40:16.771871090 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 50019 | 132.226.8.169 | 80 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:40:17.827970982 CET | 151 | OUT | |
| Jan 11, 2025 07:40:22.958065033 CET | 697 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 50020 | 132.226.8.169 | 80 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:40:23.082222939 CET | 151 | OUT | |
| Jan 11, 2025 07:40:24.370826960 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 8 | 192.168.2.4 | 50022 | 132.226.8.169 | 80 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jan 11, 2025 07:40:28.487767935 CET | 151 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49890 | 216.58.206.46 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:39:42 UTC | 216 | OUT | |
| 2025-01-11 06:39:42 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49896 | 142.250.185.129 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:39:43 UTC | 258 | OUT | |
| 2025-01-11 06:39:45 UTC | 4932 | IN | |
| 2025-01-11 06:39:45 UTC | 4932 | IN | |
| 2025-01-11 06:39:45 UTC | 4834 | IN | |
| 2025-01-11 06:39:45 UTC | 1323 | IN | |
| 2025-01-11 06:39:45 UTC | 1390 | IN | |
| 2025-01-11 06:39:45 UTC | 1390 | IN | |
| 2025-01-11 06:39:45 UTC | 1390 | IN | |
| 2025-01-11 06:39:45 UTC | 1390 | IN | |
| 2025-01-11 06:39:45 UTC | 1390 | IN | |
| 2025-01-11 06:39:45 UTC | 1390 | IN | |
| 2025-01-11 06:39:45 UTC | 1390 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49932 | 104.21.80.1 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:39:48 UTC | 85 | OUT | |
| 2025-01-11 06:39:48 UTC | 859 | IN | |
| 2025-01-11 06:39:48 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49968 | 149.154.167.220 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:39:55 UTC | 295 | OUT | |
| 2025-01-11 06:39:55 UTC | 1090 | OUT | |
| 2025-01-11 06:39:55 UTC | 388 | IN | |
| 2025-01-11 06:39:55 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49983 | 149.154.167.220 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:39:57 UTC | 295 | OUT | |
| 2025-01-11 06:39:57 UTC | 1090 | OUT | |
| 2025-01-11 06:39:57 UTC | 388 | IN | |
| 2025-01-11 06:39:57 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49999 | 149.154.167.220 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:39:59 UTC | 271 | OUT | |
| 2025-01-11 06:39:59 UTC | 1090 | OUT | |
| 2025-01-11 06:39:59 UTC | 388 | IN | |
| 2025-01-11 06:39:59 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 50014 | 149.154.167.220 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:40:05 UTC | 271 | OUT | |
| 2025-01-11 06:40:05 UTC | 1090 | OUT | |
| 2025-01-11 06:40:05 UTC | 388 | IN | |
| 2025-01-11 06:40:05 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 50016 | 149.154.167.220 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:40:11 UTC | 271 | OUT | |
| 2025-01-11 06:40:11 UTC | 1090 | OUT | |
| 2025-01-11 06:40:11 UTC | 388 | IN | |
| 2025-01-11 06:40:11 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 50018 | 149.154.167.220 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:40:17 UTC | 295 | OUT | |
| 2025-01-11 06:40:17 UTC | 1090 | OUT | |
| 2025-01-11 06:40:17 UTC | 388 | IN | |
| 2025-01-11 06:40:17 UTC | 542 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.4 | 50021 | 149.154.167.220 | 443 | 7856 | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-11 06:40:27 UTC | 295 | OUT | |
| 2025-01-11 06:40:27 UTC | 1090 | OUT | |
| 2025-01-11 06:40:28 UTC | 388 | IN | |
| 2025-01-11 06:40:28 UTC | 542 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 01:38:18 |
| Start date: | 11/01/2025 |
| Path: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'017'781 bytes |
| MD5 hash: | 7549EE46B6E4391BB5D33788FB901E8D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 01:39:30 |
| Start date: | 11/01/2025 |
| Path: | C:\Users\user\Desktop\c7WJL1gt32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'017'781 bytes |
| MD5 hash: | 7549EE46B6E4391BB5D33788FB901E8D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 20.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 20.4% |
| Total number of Nodes: | 1564 |
| Total number of Limit Nodes: | 38 |
Graph
Function 004034A5 Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 410stringfilecomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CF11B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F30 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402032 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CF12AAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CF12993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CF12569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CF118D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CF12394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CF1161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401B77 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CF110E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 10.1% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 2.4% |
| Total number of Nodes: | 245 |
| Total number of Limit Nodes: | 17 |
Graph
Function 00155978 Relevance: 9.7, Strings: 7, Instructions: 918COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001519C4 Relevance: 8.2, Strings: 6, Instructions: 746COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154328 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158DF5 Relevance: 4.8, Strings: 3, Instructions: 1086COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3833E790 Relevance: 2.0, Strings: 1, Instructions: 764COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831BDF0 Relevance: 2.0, Strings: 1, Instructions: 758COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38318650 Relevance: .7, Instructions: 709COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6C638 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B603AF Relevance: .3, Instructions: 271COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B60C28 Relevance: .2, Instructions: 220COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B60C1A Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831A360 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38319D10 Relevance: .2, Instructions: 219COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831A9B0 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383196C8 Relevance: .2, Instructions: 218COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B60F6F Relevance: .2, Instructions: 202COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831BA97 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38318640 Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831A9A0 Relevance: .2, Instructions: 161COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383196B8 Relevance: .2, Instructions: 161COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38319D00 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831A352 Relevance: .1, Instructions: 104COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001568E5 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38330970 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38330980 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157458 Relevance: 3.2, Strings: 2, Instructions: 704COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001554A8 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154F24 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831D548 Relevance: 2.7, Strings: 2, Instructions: 151COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158D19 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38331DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38330BC0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38330BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38332018 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3833C560 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3833D3E8 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3833E6C9 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38332020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3833E6D0 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150B29 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158E0C Relevance: 1.4, Strings: 1, Instructions: 148COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831CC28 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159FB4 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831BD98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831C173 Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155068 Relevance: .2, Instructions: 206COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156C98 Relevance: .2, Instructions: 201COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831FAB0 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38317920 Relevance: .1, Instructions: 147COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00153168 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001592C3 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158BF0 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154620 Relevance: .1, Instructions: 101COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156F30 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831CF30 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831CF68 Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00156F40 Relevance: .1, Instructions: 87COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831FAA1 Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001518C8 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001552C0 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38317911 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD030 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001517BA Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015324D Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00150ED0 Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015461D Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158729 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155F89 Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831B9B8 Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2C8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001552C8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2E0 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831B9C8 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00154E5F Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831F090 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831E7F4 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B2F0 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831CE50 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831EC1A Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383195E8 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831CE60 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00158BE0 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831D4C8 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38319608 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159EF6 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B158 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015B168 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FE20 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015187F Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00151888 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001556FF Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00157EC0 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831D093 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00159F6D Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0015FF30 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383195D8 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831BD48 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00155710 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383194B4 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831AFF8 Relevance: 23.0, Strings: 18, Instructions: 461COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 3831AFF7 Relevance: 12.9, Strings: 10, Instructions: 359COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6E790 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6DEE1 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38317B4F Relevance: .6, Instructions: 599COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6B07F Relevance: .3, Instructions: 277COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6F044 Relevance: .3, Instructions: 277COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6BD88 Relevance: .3, Instructions: 276COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6E339 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6DA89 Relevance: .3, Instructions: 272COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38314820 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38317070 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38311858 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38312108 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383129B8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38315208 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38313268 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38315AB8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38313B18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38316368 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383143C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38316C18 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38311400 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38311CB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383174C8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38312560 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38314DB0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38312E10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38315660 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383136C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38315F10 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38313F70 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38310FA8 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 383167C0 Relevance: .3, Instructions: 268COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6B4D8 Relevance: .3, Instructions: 263COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6C1E0 Relevance: .3, Instructions: 262COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6B930 Relevance: .3, Instructions: 262COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 37B6EBE8 Relevance: .3, Instructions: 257COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 001558E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|