Windows
Analysis Report
LX4CUQO8qI.dll
Overview
General Information
Sample name: | LX4CUQO8qI.dllrenamed because original name is a hash value |
Original sample name: | 882E00DD2C44F57162C0AC90858E8FC7.dll |
Analysis ID: | 1500271 |
MD5: | 882e00dd2c44f57162c0ac90858e8fc7 |
SHA1: | 8e7c38c20fb19e890c896a4c98108b291237afb8 |
SHA256: | d999e7ee9fb086bf4109f9c1821d959fd8b038902fa6f8dff2c3beafc36bee7b |
Tags: | dll |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 7704 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\LX4 CUQO8qI.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 7712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7752 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\LX4 CUQO8qI.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 7780 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\LX4C UQO8qI.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) - regsvr32.exe (PID: 7764 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\LX 4CUQO8qI.d ll MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - rundll32.exe (PID: 7788 cmdline:
rundll32.e xe C:\User s\user\Des ktop\LX4CU QO8qI.dll, DllGetClas sObject MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7868 cmdline:
rundll32.e xe C:\User s\user\Des ktop\LX4CU QO8qI.dll, DllMain MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7924 cmdline:
rundll32.e xe C:\User s\user\Des ktop\LX4CU QO8qI.dll, DllRegiste rServer MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
{"BeaconType": ["HTTPS"], "Port": 2003, "SleepTime": 30000, "MaxGetSize": 1398102, "Jitter": 20, "C2Server": "154.82.113.115,/owa/", "HttpPostUri": "/OWA/", "Malleable_C2_Instructions": ["Base64 URL-safe decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "GET", "HttpPostChunk": 96, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Metasploit_7bc0f998 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
JoeSecurity_CobaltStrike_2 | Yara detected CobaltStrike | Joe Security | ||
JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
Windows_Trojan_Metasploit_7bc0f998 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
|
Timestamp: | 2024-08-28T07:10:22.534991+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49742 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:28.243287+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49743 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:09:32.344215+0200 |
SID: | 2035651 |
Severity: | 1 |
Source Port: | 2003 |
Destination Port: | 49730 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-08-28T07:11:27.521168+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49754 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:16.208107+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49741 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:58.177119+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49749 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:40.161221+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49746 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:11:16.231106+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49752 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:11:10.815329+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49751 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:11:21.946675+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49753 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:46.453380+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49747 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:11:04.280237+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49750 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:08.303721+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49739 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:33.718106+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49744 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:52.741600+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49748 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:09:30.416134+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49730 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-28T07:10:03.136520+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49738 |
Destination Port: | 2003 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Code function: | 0_2_0096D7AA |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_0096480C | |
Source: | Code function: | 0_2_0096925B |
Networking |
---|
Source: | Suricata IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_0096296B |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00964065 |
Source: | Code function: | 0_3_01098954 | |
Source: | Code function: | 0_3_010A5DB8 | |
Source: | Code function: | 0_3_010A2470 | |
Source: | Code function: | 0_3_010A57E8 | |
Source: | Code function: | 0_3_0109365C | |
Source: | Code function: | 0_2_009838D1 | |
Source: | Code function: | 0_2_009840FD | |
Source: | Code function: | 0_2_00983028 | |
Source: | Code function: | 0_2_00986145 | |
Source: | Code function: | 0_2_00986970 | |
Source: | Code function: | 0_2_00974214 | |
Source: | Code function: | 0_2_009863A0 | |
Source: | Code function: | 0_2_00985B20 | |
Source: | Code function: | 0_2_00983CDD | |
Source: | Code function: | 0_2_009834FD | |
Source: | Code function: | 0_2_0097950C | |
Source: | Code function: | 0_3_0108CD8D |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_009637C3 |
Source: | Code function: | 0_2_00969031 |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_009809A5 |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | 0_3_0109624F | |
Source: | Code function: | 0_3_01095730 | |
Source: | Code function: | 0_3_01096F70 | |
Source: | Code function: | 0_3_01098F74 | |
Source: | Code function: | 0_2_0098ABE5 | |
Source: | Code function: | 0_2_00979B2C | |
Source: | Code function: | 0_2_00989331 | |
Source: | Code function: | 0_2_00976E07 | |
Source: | Code function: | 0_2_0391065F |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Code function: | 0_2_00963374 | |
Source: | Code function: | 0_2_00966C1F |
Source: | Decision node followed by non-executed suspicious API: | graph_0-20603 |
Source: | Evasive API call chain: | graph_0-19760 | ||
Source: | Evasive API call chain: | graph_0-20367 |
Source: | Evasive API call chain: | graph_0-19098 | ||
Source: | Evasive API call chain: | graph_0-18709 |
Source: | API coverage: |
Source: | Code function: | 0_2_00966C1F |
Source: | Last function: |
Source: | Code function: | 0_2_0096480C | |
Source: | Code function: | 0_2_0096925B |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-19099 |
Source: | Code function: | 0_2_0391047E |
Source: | Code function: | 0_2_0097EB2E |
Source: | Code function: | 0_2_009809A5 |
Source: | Code function: | 0_3_010B479D | |
Source: | Code function: | 0_3_010B47AA | |
Source: | Code function: | 0_2_039101A1 | |
Source: | Code function: | 0_2_039101AE |
Source: | Code function: | 0_2_00984B20 |
Source: | Code function: | 0_2_00981150 | |
Source: | Code function: | 0_2_0097EB2E | |
Source: | Code function: | 0_2_0097AD12 |
Source: | Code function: | 0_2_0096CAAA |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_0096CC7A |
Source: | Code function: | 0_2_009846F0 |
Source: | Code function: | 0_2_00963873 |
Source: | Code function: | 0_2_00978876 |
Source: | Code function: | 0_2_00966CD1 |
Source: | Code function: | 0_2_00966CD1 |
Source: | Key value queried: | Jump to behavior |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_00967293 | |
Source: | Code function: | 0_2_00967375 | |
Source: | Code function: | 0_2_0096D5DB |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 3 Native API | 2 Valid Accounts | 2 Valid Accounts | 2 Valid Accounts | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 21 Access Token Manipulation | 1 Virtualization/Sandbox Evasion | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 12 Process Injection | 21 Access Token Manipulation | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 12 Process Injection | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Account Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | 1 System Owner/User Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Regsvr32 | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Rundll32 | Proc Filesystem | 14 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 1 DLL Side-Loading | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
66% | ReversingLabs | Win32.Trojan.CobaltStrike | ||
60% | Virustotal | Browse | ||
100% | Avira | HEUR/AGEN.1354117 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
9% | Virustotal | Browse | ||
9% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bg.microsoft.map.fastly.net | 199.232.210.172 | true | false |
| unknown |
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | 84.201.210.21 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
154.82.113.115 | unknown | Seychelles | 32708 | ROOTNETWORKSUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1500271 |
Start date and time: | 2024-08-28 07:08:29 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 19s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | LX4CUQO8qI.dllrenamed because original name is a hash value |
Original Sample Name: | 882E00DD2C44F57162C0AC90858E8FC7.dll |
Detection: | MAL |
Classification: | mal100.troj.evad.winDLL@14/4@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 199.232.210.172
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Quasar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Coinhive | Browse |
| ||
Get hash | malicious | Telegram Phisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
bg.microsoft.map.fastly.net | Get hash | malicious | SilverRat | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ROOTNETWORKSUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | GhostRat | Browse |
| ||
Get hash | malicious | GhostRat | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Windows\System32\loaddll32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 71954 |
Entropy (8bit): | 7.996617769952133 |
Encrypted: | true |
SSDEEP: | 1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ |
MD5: | 49AEBF8CBD62D92AC215B2923FB1B9F5 |
SHA1: | 1723BE06719828DDA65AD804298D0431F6AFF976 |
SHA-256: | B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F |
SHA-512: | BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Windows\System32\loaddll32.exe |
File Type: | |
Category: | modified |
Size (bytes): | 328 |
Entropy (8bit): | 3.229605184327072 |
Encrypted: | false |
SSDEEP: | 6:kKv9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:2DImsLNkPlE99SNxAhUe/3 |
MD5: | 1D03BEA958C410A26CEAC6A48F63D21F |
SHA1: | 1AD004103D1D2F31E32636BA17FC7E9C400AF016 |
SHA-256: | 42C7EA99DE8977C620714CF23F3CDB5670B93603C96C1F3FC119BF584809A9DB |
SHA-512: | 863CCFED9F211804A48534FD2D81748D41EF7F9B0D184D6B23B9F149A7007ACC477DF40D18D50CF9655D71048A902D45B72E5D230B9DE4CA97B5273760785BAB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\loaddll32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 239616 |
Entropy (8bit): | 7.528695531238492 |
Encrypted: | false |
SSDEEP: | 3072:SnvEg+AeNNOcCsO8JzxPuvEKbZTOTCMIGEvWZSfx13gArA7lre5YtszmY229qZAt:SbWNKshx2JZmrxkn3gmAJoYjY2HZA4I3 |
MD5: | 4ACFF65641011450C7E5669D6390148A |
SHA1: | 2BB5CAD326881A622BC7662FF2E6FD2AC1817179 |
SHA-256: | E8432C9C2694766BD8ED345EC636DF00B5E57C053F1BBDCDD59B7BABC319EE59 |
SHA-512: | 6C35481D4434FE4B025C21C064F8427AB1FCE31B503FB1EE788BC380CAE307E3E81679B533BEB739C2328CC6945C051ADB11B4A14B7CE8019D65DD23C4BCAD92 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\rundll32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 102400 |
Entropy (8bit): | 7.6470620959270175 |
Encrypted: | false |
SSDEEP: | 3072:SnvEg+AeNNOcCsO8JzxPuvEKbZTOTCMIGEvWZT:SbWNKshx2JZmrxT |
MD5: | 74FFE47C6D4DE71335D2D8D99E13D37B |
SHA1: | 59E3B38BBE6536D2E81579F86E5A0B0784A12004 |
SHA-256: | ADDDD0957AAFDB649C1EA22A48322EDA7F8C1C07E40B506A5B0255BAD59426A9 |
SHA-512: | 05773724BF1E6F60B8F68AB50171637AD091E8B60F59659F442DEF9580A1AD973EC93FF6244786FFA10B83B57DA656D87EDC7DAFFC34B77A7DF5E95662203F2D |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.6167264315880985 |
TrID: |
|
File name: | LX4CUQO8qI.dll |
File size: | 355'840 bytes |
MD5: | 882e00dd2c44f57162c0ac90858e8fc7 |
SHA1: | 8e7c38c20fb19e890c896a4c98108b291237afb8 |
SHA256: | d999e7ee9fb086bf4109f9c1821d959fd8b038902fa6f8dff2c3beafc36bee7b |
SHA512: | 05e75efbd6f383564091950f6d8bfe5069700c859f9beb20a7627fc9052a0cea5beb8d133a4e3fee6c71386992ac4efa6beb5d86262b5729f934a3c0e8c4619b |
SSDEEP: | 6144:DsyrpKZu/6bWNKshx2JZmrxkn3gmAJoYjY2HZA4I:DdVKZu/6phJZminOGOY259I |
TLSH: | 8B749D9AE5CE3BBFF151D730C40FA725AF9029983369872C49C587592BA761333C981B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;.&f...........#...).v...j.....................l................................."....@... ............................ |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x6cfc1390 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x6cfc0000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x6626E13B [Mon Apr 22 22:14:19 2024 UTC] |
TLS Callbacks: | 0x6cfc1ca0, 0x6cfc1c50 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b189f83bdce907074c1f8f63d1974fe5 |
Instruction |
---|
sub esp, 0Ch |
mov dword ptr [6D018120h], 00000000h |
mov ecx, dword ptr [esp+18h] |
mov edx, dword ptr [esp+14h] |
mov eax, dword ptr [esp+10h] |
call 00007FE5F0E896F7h |
add esp, 0Ch |
retn 000Ch |
lea esi, dword ptr [esi+00000000h] |
lea esi, dword ptr [esi+00h] |
nop |
sub esp, 1Ch |
mov eax, dword ptr [esp+20h] |
mov dword ptr [esp], 6D018000h |
mov dword ptr [esp+04h], eax |
call 00007FE5F0E9025Eh |
add esp, 1Ch |
ret |
nop |
nop |
nop |
nop |
nop |
push ebp |
mov ebp, esp |
push edi |
push esi |
push ebx |
sub esp, 1Ch |
mov dword ptr [esp], 6D015000h |
call dword ptr [6D01A170h] |
sub esp, 04h |
test eax, eax |
je 00007FE5F0E89915h |
mov ebx, eax |
mov dword ptr [esp], 6D015000h |
call dword ptr [6D01A198h] |
mov edi, dword ptr [6D01A178h] |
sub esp, 04h |
mov dword ptr [6D018010h], eax |
mov dword ptr [esp+04h], 6D015013h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov esi, eax |
mov dword ptr [esp+04h], 6D015029h |
mov dword ptr [esp], ebx |
call edi |
sub esp, 08h |
mov dword ptr [6CFC9004h], eax |
test esi, esi |
je 00007FE5F0E898B3h |
mov dword ptr [esp+04h], 6D018014h |
mov dword ptr [esp], 6D016124h |
call esi |
mov dword ptr [eax+eax], 00000000h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x59000 | 0xaa | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5a000 | 0x6bc | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x5d000 | 0x440 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x5508c | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x5a138 | 0xfc | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x7414 | 0x7600 | 7b0ba2fcfe5af863b8a244efed9daee3 | False | 0.5615068855932204 | data | 6.221679032999006 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x4bc84 | 0x4be00 | c2d0f53aa616f3acbcdfa7422204216e | False | 0.5452243358731467 | data | 6.566620498653716 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x55000 | 0x80c | 0xa00 | 528975c1e588ce61a8d4929a68abb985 | False | 0.3359375 | data | 4.914761132868546 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.eh_fram | 0x56000 | 0x171c | 0x1800 | 939f3d7920cb73aa42f05db7121f35b1 | False | 0.3489583333333333 | data | 4.806623669374318 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.bss | 0x58000 | 0xb30 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0x59000 | 0xaa | 0x200 | 8f6553dc45cea0fe170cb488b61b82ee | False | 0.265625 | data | 1.962743792527949 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0x5a000 | 0x6bc | 0x800 | 5dc42cd4f08ec230e77ec216282edbcc | False | 0.38330078125 | data | 4.5785745189937455 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0x5b000 | 0x2c | 0x200 | d8422d6e25ecb2eb08bca8f681b56a0b | False | 0.0546875 | data | 0.20153937813451883 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x5c000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x5d000 | 0x440 | 0x600 | 5562fa3d49c966c6955281f58b6f3fef | False | 0.6412760416666666 | data | 5.234940914371754 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
KERNEL32.dll | CloseHandle, ConvertThreadToFiber, CreateFiber, CreateFileA, CreateMailslotA, CreateThread, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, FreeLibrary, GetCurrentProcess, GetCurrentThreadId, GetLastError, GetMailslotInfo, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetTickCount, HeapAlloc, HeapCreate, HeapReAlloc, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, ReadFile, Sleep, SleepEx, SwitchToFiber, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteFile |
msvcrt.dll | __mb_cur_max, _amsg_exit, _errno, _initterm, _iob, _lock, _unlock, abort, atoi, calloc, fputc, free, fwrite, localeconv, malloc, memcpy, memset, realloc, setlocale, strchr, strerror, strlen, strncmp, vfprintf, wcslen |
Name | Ordinal | Address |
---|---|---|
DllGetClassObject | 1 | 0x6cfc1b56 |
DllMain | 2 | 0x6cfc1b0b |
DllRegisterServer | 3 | 0x6cfc1b50 |
DllUnregisterServer | 4 | 0x6cfc1b53 |
StartW | 5 | 0x6cfc1b63 |
Timestamp | Protocol | SID | Signature | Severity | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|---|
2024-08-28T07:10:22.534991+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:28.243287+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:09:32.344215+0200 | TCP | 2035651 | ET MALWARE Meterpreter or Other Reverse Shell SSL Cert | 1 | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
2024-08-28T07:11:27.521168+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49754 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:16.208107+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:58.177119+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:40.161221+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:11:16.231106+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:11:10.815329+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:11:21.946675+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:46.453380+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:11:04.280237+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:08.303721+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:33.718106+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:52.741600+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:09:30.416134+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
2024-08-28T07:10:03.136520+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 28, 2024 07:09:29.552496910 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:29.557540894 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:29.557624102 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:29.566930056 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:29.571799040 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:30.415929079 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:30.416134119 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:30.679497957 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:30.679660082 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:32.339308023 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:32.344214916 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:32.640942097 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:32.641005993 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:32.950792074 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:32.950949907 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:32.955272913 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:32.962480068 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:33.260396957 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:33.260413885 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:09:33.260478973 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:33.261339903 CEST | 49730 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:09:33.266108036 CEST | 2003 | 49730 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:01.958992004 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:01.963778973 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:01.963888884 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:01.964539051 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:01.964539051 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:01.969269037 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:01.969393969 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:03.136444092 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:03.136496067 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:03.136519909 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:03.136547089 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:03.136568069 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:03.136604071 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:03.137042046 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:03.141779900 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:03.199342966 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:03.204082966 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:03.692744017 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:03.692823887 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:03.692838907 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:03.692878962 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:03.692991972 CEST | 49738 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:03.698405981 CEST | 2003 | 49738 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:07.423533916 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:07.428430080 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:07.428500891 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:07.429438114 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:07.434252977 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:08.303601980 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:08.303720951 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:08.559834003 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:08.559926033 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:08.560836077 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:08.564593077 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:08.565576077 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:08.569331884 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:10.116363049 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:10.116378069 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:10.116386890 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:10.116441965 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:10.116476059 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:10.116574049 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:10.116616964 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:10.116710901 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:10.117238998 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:10.117302895 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:10.117908001 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:10.117942095 CEST | 49739 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:10.121588945 CEST | 2003 | 49739 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:14.552598953 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:14.557573080 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:14.557636023 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:14.557876110 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:14.562637091 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.207902908 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.208106995 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.208158970 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.208205938 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.208683014 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.208740950 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.208817005 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.208856106 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.209034920 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.210259914 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.520242929 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.603624105 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.603684902 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.604624033 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.604633093 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.604640961 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.916984081 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.917072058 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.917078972 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.917114973 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:16.917121887 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.917152882 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.917505026 CEST | 49741 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:16.922336102 CEST | 2003 | 49741 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:20.646409988 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:21.031791925 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:21.031873941 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:21.034441948 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:21.039244890 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:22.534687996 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:22.534722090 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:22.534734964 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:22.534742117 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:22.534991026 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:22.534991026 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:22.535372972 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:22.536791086 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:22.540074110 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:22.540131092 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:22.540131092 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:22.541672945 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:23.088709116 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:23.088736057 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:23.088956118 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:23.088956118 CEST | 49742 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:23.093789101 CEST | 2003 | 49742 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:27.172983885 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:27.333549976 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:27.333734035 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:27.334048033 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:27.338849068 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:28.243228912 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:28.243287086 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:28.510557890 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:28.510870934 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:28.511223078 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:28.512475967 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:28.515958071 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:28.517277956 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:29.112097025 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:29.112184048 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:29.112220049 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:29.112364054 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:29.112365007 CEST | 49743 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:29.117305040 CEST | 2003 | 49743 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:32.820000887 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:32.824949026 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:32.825009108 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:32.825274944 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:32.830708981 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:33.718008995 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:33.718106031 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:34.044672012 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:34.044751883 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:34.045131922 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:34.046422005 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:34.051151037 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:34.052891970 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:34.626121044 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:34.626133919 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:34.626146078 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:34.626189947 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:34.626219988 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:34.626354933 CEST | 49744 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:34.631268978 CEST | 2003 | 49744 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:39.240241051 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:39.245431900 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:39.245520115 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:39.245860100 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:39.250688076 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:40.161151886 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:40.161221027 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:40.427700996 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:40.427886963 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:40.428163052 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:40.432948112 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:40.433528900 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:40.438546896 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:41.017203093 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:41.017219067 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:41.017227888 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:41.017394066 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:41.017496109 CEST | 49746 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:41.022242069 CEST | 2003 | 49746 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:45.505904913 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:45.511054039 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:45.516330957 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:45.516556978 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:45.521364927 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:46.453315973 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:46.453380108 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:46.726427078 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:46.726499081 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:46.726794004 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:46.728053093 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:46.731662989 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:46.732808113 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:47.303457975 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:47.303486109 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:47.303491116 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:47.303769112 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:47.303880930 CEST | 49747 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:47.308656931 CEST | 2003 | 49747 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:51.412240982 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:51.879065037 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:51.879163027 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:51.879477978 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:51.884300947 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:52.741529942 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:52.741600037 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:52.991293907 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:52.991384983 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:52.991753101 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:52.993002892 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:52.996463060 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:52.997752905 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:53.783526897 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:53.783550978 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:53.783597946 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:53.783623934 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:53.783639908 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:53.783680916 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:53.783771992 CEST | 49748 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:53.788522005 CEST | 2003 | 49748 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:57.287189007 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:57.292135954 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:57.292207003 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:57.292623997 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:57.297693014 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:58.177057028 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:58.177119017 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:58.434926033 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:58.434993029 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:58.435336113 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:58.436542034 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:58.440099001 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:58.441312075 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:58.997040987 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:58.997104883 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:58.997195959 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:58.997257948 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:10:58.997298956 CEST | 49749 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:10:59.008179903 CEST | 2003 | 49749 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:03.396634102 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:03.401597023 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:03.401683092 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:03.402002096 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:03.406740904 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:04.280163050 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:04.280236959 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:04.547662020 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:04.547730923 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:04.548013926 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:04.549177885 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:04.552782059 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:04.553971052 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:05.116439104 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:05.116518021 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:05.116820097 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:05.116837025 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:05.116871119 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:05.116899014 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:05.116966009 CEST | 49750 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:05.121700048 CEST | 2003 | 49750 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:09.912731886 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:09.919423103 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:09.919559956 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:09.920243025 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:09.925558090 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:10.815268040 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:10.815329075 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:11.087714911 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:11.087846994 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:11.090090990 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:11.094959021 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:11.100217104 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:11.105067968 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:11.672967911 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:11.673068047 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:11.673161030 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:11.673229933 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:11.673348904 CEST | 49751 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:11.678124905 CEST | 2003 | 49751 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:15.334232092 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:15.339215994 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:15.339303970 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:15.339905024 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:15.344686031 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:16.231000900 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:16.231106043 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:16.484085083 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:16.484177113 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:16.484497070 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:16.485647917 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:16.489237070 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:16.490474939 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:17.045351982 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:17.045450926 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:17.045463085 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:17.045500994 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:17.045542002 CEST | 49752 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:17.050589085 CEST | 2003 | 49752 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:21.068504095 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:21.074434042 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:21.074517012 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:21.074817896 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:21.079579115 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:21.946587086 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:21.946675062 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:22.200846910 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:22.200921059 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:22.201266050 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:22.202500105 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:22.205995083 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:22.207256079 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:22.775135040 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:22.775154114 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:22.775218964 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:22.811084986 CEST | 49753 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:22.815872908 CEST | 2003 | 49753 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:26.665013075 CEST | 49754 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:26.670118093 CEST | 2003 | 49754 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:26.670208931 CEST | 49754 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:26.670849085 CEST | 49754 | 2003 | 192.168.2.4 | 154.82.113.115 |
Aug 28, 2024 07:11:26.675625086 CEST | 2003 | 49754 | 154.82.113.115 | 192.168.2.4 |
Aug 28, 2024 07:11:27.521167994 CEST | 49754 | 2003 | 192.168.2.4 | 154.82.113.115 |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Aug 28, 2024 07:09:30.767981052 CEST | 1.1.1.1 | 192.168.2.4 | 0xf24 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:09:30.767981052 CEST | 1.1.1.1 | 192.168.2.4 | 0xf24 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:10:36.942295074 CEST | 1.1.1.1 | 192.168.2.4 | 0x4cba | No error (0) | 84.201.210.21 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:10:36.942295074 CEST | 1.1.1.1 | 192.168.2.4 | 0x4cba | No error (0) | 217.20.57.37 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:10:36.942295074 CEST | 1.1.1.1 | 192.168.2.4 | 0x4cba | No error (0) | 217.20.57.24 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:10:36.942295074 CEST | 1.1.1.1 | 192.168.2.4 | 0x4cba | No error (0) | 217.20.57.19 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:10:36.942295074 CEST | 1.1.1.1 | 192.168.2.4 | 0x4cba | No error (0) | 217.20.57.22 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:10:36.942295074 CEST | 1.1.1.1 | 192.168.2.4 | 0x4cba | No error (0) | 84.201.210.35 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:10:36.942295074 CEST | 1.1.1.1 | 192.168.2.4 | 0x4cba | No error (0) | 217.20.57.25 | A (IP address) | IN (0x0001) | false | ||
Aug 28, 2024 07:10:36.942295074 CEST | 1.1.1.1 | 192.168.2.4 | 0x4cba | No error (0) | 217.20.57.41 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 01:09:17 |
Start date: | 28/08/2024 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x5b0000 |
File size: | 126'464 bytes |
MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 01:09:17 |
Start date: | 28/08/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 01:09:17 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 01:09:17 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe00000 |
File size: | 20'992 bytes |
MD5 hash: | 878E47C8656E53AE8A8A21E927C6F7E0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 01:09:17 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3b0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 01:09:17 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3b0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 01:09:20 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3b0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 01:09:23 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3b0000 |
File size: | 61'440 bytes |
MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 4.8% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 5.1% |
Total number of Nodes: | 2000 |
Total number of Limit Nodes: | 18 |
Graph
Function 0096296B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 169networkfileCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00966CD1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096D7AA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44encryptionCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0391047E Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096131C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 280COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00962506 Relevance: 9.1, APIs: 6, Instructions: 114networkCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00967B2D Relevance: 9.1, APIs: 6, Instructions: 113networkCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00962C13 Relevance: 4.6, APIs: 3, Instructions: 68networkCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096BD3C Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096BDFB Relevance: 4.6, APIs: 3, Instructions: 63memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00962B66 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMONLIBRARYCODE
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096934F Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00972722 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00978DBB Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096480C Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 172filetimeCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00969031 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159processCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096925B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 84fileCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0097EB2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00963374 Relevance: 9.1, APIs: 6, Instructions: 68sleepnetworkCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00967375 Relevance: 9.1, APIs: 6, Instructions: 68networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00967293 Relevance: 9.1, APIs: 6, Instructions: 54networkCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096CAAA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00964065 Relevance: 7.6, APIs: 5, Instructions: 65processCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096D5DB Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009637C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00966C1F Relevance: 6.1, APIs: 4, Instructions: 63sleepnetworkCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096CC7A Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 010B47AA Relevance: 2.7, Strings: 2, Instructions: 191COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 010B479D Relevance: 2.5, Strings: 2, Instructions: 36COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 039101A1 Relevance: 2.5, Strings: 2, Instructions: 36COMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00986970 Relevance: .4, Instructions: 435COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 010A5DB8 Relevance: .4, Instructions: 435COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009863A0 Relevance: .4, Instructions: 406COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 010A57E8 Relevance: .4, Instructions: 406COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009840FD Relevance: .4, Instructions: 384COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00983CDD Relevance: .4, Instructions: 378COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009838D1 Relevance: .4, Instructions: 361COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009834FD Relevance: .4, Instructions: 351COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00974214 Relevance: .1, Instructions: 120COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0109365C Relevance: .1, Instructions: 120COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00986145 Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009677F6 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 210networkCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00962728 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147networksleepCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00963E63 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181processCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00966772 Relevance: 18.1, APIs: 12, Instructions: 94pipesleepfileCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009655E0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 114threadsleepprocessCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009675F5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69networkCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096752F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59networksleepCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00963430 Relevance: 15.1, APIs: 10, Instructions: 103sleepfilepipeCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00963C02 Relevance: 13.6, APIs: 9, Instructions: 134injectionCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0109B5B0 Relevance: 13.6, APIs: 9, Instructions: 105COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009681D9 Relevance: 13.6, APIs: 9, Instructions: 99threadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00964161 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130processCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096C7AA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096B6AC Relevance: 12.2, APIs: 8, Instructions: 158COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0108AAF4 Relevance: 12.2, APIs: 8, Instructions: 158COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 01080FAB Relevance: 10.9, APIs: 7, Instructions: 417COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 010974E4 Relevance: 10.7, APIs: 7, Instructions: 189COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00963D56 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98processCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00966A10 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096D497 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 01081B70 Relevance: 9.1, APIs: 6, Instructions: 147COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009660AE Relevance: 9.1, APIs: 6, Instructions: 63pipefileCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00963618 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00965832 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 01080764 Relevance: 7.8, APIs: 5, Instructions: 280COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0108A2DE Relevance: 7.8, APIs: 5, Instructions: 273COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00963304 Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0108C8DF Relevance: 7.5, APIs: 5, Instructions: 45COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00976F24 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096AC36 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00961FA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096B40C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00965B14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00965714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096394C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00964A37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00964A5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009689BB Relevance: 6.4, APIs: 4, Instructions: 380threadCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 01081DB3 Relevance: 6.2, APIs: 4, Instructions: 169COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009661EA Relevance: 6.1, APIs: 4, Instructions: 106sleepCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009658F1 Relevance: 6.1, APIs: 4, Instructions: 105injectionCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00964FA6 Relevance: 6.1, APIs: 4, Instructions: 92sleeppipeCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00962FE4 Relevance: 6.1, APIs: 4, Instructions: 72synchronizationpipeCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 01080582 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0108AA2C Relevance: 6.1, APIs: 4, Instructions: 68COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0108A71F Relevance: 6.1, APIs: 4, Instructions: 63COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0109B286 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0108CB7C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0108A991 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096C690 Relevance: 6.0, APIs: 4, Instructions: 45sleepsynchronizationthreadCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009617AF Relevance: 6.0, APIs: 4, Instructions: 41COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 01080BF6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 01080BF7 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096D577 Relevance: 6.0, APIs: 4, Instructions: 40networkCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00967EBE Relevance: 6.0, APIs: 4, Instructions: 39memorythreadCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096619F Relevance: 6.0, APIs: 4, Instructions: 35sleeppipeCOMMONLIBRARYCODE
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0109EE62 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096B9CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096ABAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0096921E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009875D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|