Windows
Analysis Report
kewyIO69TI.exe
Overview
General Information
Sample name: | kewyIO69TI.exerenamed because original name is a hash value |
Original sample name: | ee766f8a002bc94c1ed54dc7602547c9.exe |
Analysis ID: | 1520453 |
MD5: | ee766f8a002bc94c1ed54dc7602547c9 |
SHA1: | 3cd317e022a72b3e7b25b3d87eecfb2fc6aafc5d |
SHA256: | aaefdf4d8df6b740054e00d65e9c56d081eaec7fe16e525b3895a6d882fb4cc0 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- kewyIO69TI.exe (PID: 6720 cmdline:
"C:\Users\ user\Deskt op\kewyIO6 9TI.exe" MD5: EE766F8A002BC94C1ED54DC7602547C9) - conhost.exe (PID: 4300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RegAsm.exe (PID: 7076 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 1448 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["drawzhotdog.shop", "stogeneratmns.shop", "lootebarrkeyn.shop", "gutterydhowi.shop", "fragnantbui.shop", "vozmeatillu.shop", "offensivedzvju.shop", "reinforcenh.shop", "ghostreedmnu.shop"], "Build id": "FATE99--"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:09.761554+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 104.21.4.136 | 443 | TCP |
2024-09-27T11:19:10.980022+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49701 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:11.913044+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49702 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:12.867203+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49703 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:13.818966+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49704 | 104.21.58.182 | 443 | TCP |
2024-09-27T11:19:14.778306+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49705 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:15.705280+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49706 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:16.606928+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49707 | 104.21.77.130 | 443 | TCP |
2024-09-27T11:19:18.776975+0200 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49709 | 104.21.2.13 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:09.761554+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49700 | 104.21.4.136 | 443 | TCP |
2024-09-27T11:19:10.980022+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49701 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:11.913044+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49702 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:12.867203+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49703 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:13.818966+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49704 | 104.21.58.182 | 443 | TCP |
2024-09-27T11:19:14.778306+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49705 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:15.705280+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49706 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:16.606928+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49707 | 104.21.77.130 | 443 | TCP |
2024-09-27T11:19:18.776975+0200 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49709 | 104.21.2.13 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:13.390734+0200 | 2056157 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49704 | 104.21.58.182 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:14.321187+0200 | 2056155 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49705 | 188.114.97.3 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:10.388673+0200 | 2056163 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49701 | 188.114.96.3 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:09.241941+0200 | 2056165 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49700 | 104.21.4.136 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:11.461179+0200 | 2056161 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49702 | 188.114.96.3 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:16.189594+0200 | 2056151 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49707 | 104.21.77.130 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:15.258313+0200 | 2056153 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49706 | 188.114.96.3 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:12.420066+0200 | 2056159 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49703 | 188.114.97.3 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:12.880479+0200 | 2056156 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 59089 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:13.822074+0200 | 2056154 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 62216 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:09.791657+0200 | 2056162 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 54428 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:08.756688+0200 | 2056164 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 52534 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:08.742677+0200 | 2056048 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 59462 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:10.982845+0200 | 2056160 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 53004 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:15.706895+0200 | 2056150 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 55135 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:14.780197+0200 | 2056152 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49493 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:11.916804+0200 | 2056158 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 54688 | 1.1.1.1 | 53 | UDP |
Click to jump to signature section
AV Detection |
---|
Source: | URL Reputation: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 4_2_0040F042 | |
Source: | Code function: | 4_2_0040D470 | |
Source: | Code function: | 4_2_0040F807 | |
Source: | Code function: | 4_2_00447AC9 | |
Source: | Code function: | 4_2_00447AC9 | |
Source: | Code function: | 4_2_00447D38 | |
Source: | Code function: | 4_2_00447E1B | |
Source: | Code function: | 4_2_00401000 | |
Source: | Code function: | 4_2_0044B010 | |
Source: | Code function: | 4_2_00425030 | |
Source: | Code function: | 4_2_0040C1C0 | |
Source: | Code function: | 4_2_0044B1A0 | |
Source: | Code function: | 4_2_00427230 | |
Source: | Code function: | 4_2_004452E0 | |
Source: | Code function: | 4_2_004142E4 | |
Source: | Code function: | 4_2_0044B320 | |
Source: | Code function: | 4_2_00407450 | |
Source: | Code function: | 4_2_00412450 | |
Source: | Code function: | 4_2_00412450 | |
Source: | Code function: | 4_2_00412450 | |
Source: | Code function: | 4_2_00412450 | |
Source: | Code function: | 4_2_00442410 | |
Source: | Code function: | 4_2_0044B430 | |
Source: | Code function: | 4_2_004314A0 | |
Source: | Code function: | 4_2_004404AB | |
Source: | Code function: | 4_2_0044A510 | |
Source: | Code function: | 4_2_00435519 | |
Source: | Code function: | 4_2_00433623 | |
Source: | Code function: | 4_2_00449620 | |
Source: | Code function: | 4_2_00434629 | |
Source: | Code function: | 4_2_0040F63A | |
Source: | Code function: | 4_2_00414692 | |
Source: | Code function: | 4_2_0041E71A | |
Source: | Code function: | 4_2_0041E71A | |
Source: | Code function: | 4_2_0040F7E3 | |
Source: | Code function: | 4_2_00432830 | |
Source: | Code function: | 4_2_00432830 | |
Source: | Code function: | 4_2_00432830 | |
Source: | Code function: | 4_2_00432830 | |
Source: | Code function: | 4_2_00432830 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004408E6 | |
Source: | Code function: | 4_2_00444970 | |
Source: | Code function: | 4_2_00429978 | |
Source: | Code function: | 4_2_00434990 | |
Source: | Code function: | 4_2_00434990 | |
Source: | Code function: | 4_2_00434990 | |
Source: | Code function: | 4_2_00420A70 | |
Source: | Code function: | 4_2_00440A70 | |
Source: | Code function: | 4_2_0040FA20 | |
Source: | Code function: | 4_2_0040FA20 | |
Source: | Code function: | 4_2_0040FA20 | |
Source: | Code function: | 4_2_0042CAD0 | |
Source: | Code function: | 4_2_0042CAD0 | |
Source: | Code function: | 4_2_00421AD0 | |
Source: | Code function: | 4_2_00444BC0 | |
Source: | Code function: | 4_2_0041AB90 | |
Source: | Code function: | 4_2_00448B90 | |
Source: | Code function: | 4_2_00430CC0 | |
Source: | Code function: | 4_2_00405CF0 | |
Source: | Code function: | 4_2_00404CB0 | |
Source: | Code function: | 4_2_00449D22 | |
Source: | Code function: | 4_2_00445DE0 | |
Source: | Code function: | 4_2_00448D80 | |
Source: | Code function: | 4_2_0042FE26 | |
Source: | Code function: | 4_2_0042FE26 | |
Source: | Code function: | 4_2_00413EEC | |
Source: | Code function: | 4_2_00413EEC | |
Source: | Code function: | 4_2_0043FE90 | |
Source: | Code function: | 4_2_00426FC0 | |
Source: | Code function: | 4_2_0041FFD8 | |
Source: | Code function: | 4_2_0042DFE0 | |
Source: | Code function: | 4_2_0043BFF0 |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 4_2_00439BD0 |
Source: | Code function: | 4_2_00439BD0 |
Source: | Code function: | 4_2_0043A777 |
System Summary |
---|
Source: | Large array initialization: |
Source: | Code function: | 0_2_01200C40 | |
Source: | Code function: | 4_2_004103A8 | |
Source: | Code function: | 4_2_00447D38 | |
Source: | Code function: | 4_2_00401000 | |
Source: | Code function: | 4_2_004480B0 | |
Source: | Code function: | 4_2_00449120 | |
Source: | Code function: | 4_2_0040C1C0 | |
Source: | Code function: | 4_2_0042D250 | |
Source: | Code function: | 4_2_0040A231 | |
Source: | Code function: | 4_2_0044A230 | |
Source: | Code function: | 4_2_004012C7 | |
Source: | Code function: | 4_2_004452E0 | |
Source: | Code function: | 4_2_00415352 | |
Source: | Code function: | 4_2_00407450 | |
Source: | Code function: | 4_2_00405470 | |
Source: | Code function: | 4_2_00409402 | |
Source: | Code function: | 4_2_004404AB | |
Source: | Code function: | 4_2_0044A510 | |
Source: | Code function: | 4_2_004115B0 | |
Source: | Code function: | 4_2_0041D610 | |
Source: | Code function: | 4_2_00449620 | |
Source: | Code function: | 4_2_0040A6E0 | |
Source: | Code function: | 4_2_0040B6B0 | |
Source: | Code function: | 4_2_0043F700 | |
Source: | Code function: | 4_2_0041E71A | |
Source: | Code function: | 4_2_0044B720 | |
Source: | Code function: | 4_2_004087F0 | |
Source: | Code function: | 4_2_00428833 | |
Source: | Code function: | 4_2_004338C0 | |
Source: | Code function: | 4_2_004408E6 | |
Source: | Code function: | 4_2_004038A0 | |
Source: | Code function: | 4_2_00434990 | |
Source: | Code function: | 4_2_0040ABA0 | |
Source: | Code function: | 4_2_0042EBBC | |
Source: | Code function: | 4_2_00437CD0 | |
Source: | Code function: | 4_2_00449D22 | |
Source: | Code function: | 4_2_00407E50 | |
Source: | Code function: | 4_2_00427E6C | |
Source: | Code function: | 4_2_00437F30 | |
Source: | Code function: | 4_2_0042DFE0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 4_2_0043910C |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_02CF1992 | |
Source: | Code function: | 0_2_02CF1992 | |
Source: | Code function: | 4_2_00438B85 |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 4_2_004476D0 |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Memory allocated: | Jump to behavior |
Source: | Code function: | 0_2_02CF2155 |
Source: | Memory written: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 411 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Screen Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 31 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 31 Virtualization/Sandbox Evasion | Security Account Manager | 12 System Information Discovery | SMB/Windows Admin Shares | 2 Clipboard Data | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 411 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Deobfuscate/Decode Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 4 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Software Packing | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
55% | ReversingLabs | ByteCode-MSIL.Trojan.Zilla |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | URL Reputation | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
fragnantbui.shop | 188.114.97.3 | true | true | unknown | |
gutterydhowi.shop | 104.21.4.136 | true | true | unknown | |
steamcommunity.com | 104.102.49.254 | true | false | unknown | |
offensivedzvju.shop | 188.114.96.3 | true | true | unknown | |
stogeneratmns.shop | 188.114.96.3 | true | true | unknown | |
reinforcenh.shop | 104.21.77.130 | true | true | unknown | |
drawzhotdog.shop | 104.21.58.182 | true | true | unknown | |
ghostreedmnu.shop | 188.114.96.3 | true | true | unknown | |
vozmeatillu.shop | 188.114.97.3 | true | true | unknown | |
ballotnwu.site | 104.21.2.13 | true | true | unknown | |
lootebarrkeyn.shop | unknown | unknown | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
true | unknown | ||
true |
| unknown | |
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
true | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.77.130 | reinforcenh.shop | United States | 13335 | CLOUDFLARENETUS | true | |
104.21.4.136 | gutterydhowi.shop | United States | 13335 | CLOUDFLARENETUS | true | |
188.114.97.3 | fragnantbui.shop | European Union | 13335 | CLOUDFLARENETUS | true | |
188.114.96.3 | offensivedzvju.shop | European Union | 13335 | CLOUDFLARENETUS | true | |
104.102.49.254 | steamcommunity.com | United States | 16625 | AKAMAI-ASUS | false | |
104.21.2.13 | ballotnwu.site | United States | 13335 | CLOUDFLARENETUS | true | |
104.21.58.182 | drawzhotdog.shop | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1520453 |
Start date and time: | 2024-09-27 11:18:10 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 12s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | kewyIO69TI.exerenamed because original name is a hash value |
Original Sample Name: | ee766f8a002bc94c1ed54dc7602547c9.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@6/2@11/7 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: kewyIO69TI.exe
Time | Type | Description |
---|---|---|
05:19:07 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.77.130 | Get hash | malicious | Amadey, GO Backdoor | Browse |
| |
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | Amadey | Browse |
| ||
104.21.4.136 | Get hash | malicious | LummaC | Browse | ||
Get hash | malicious | LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz | Browse | |||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse | |||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse | |||
Get hash | malicious | LummaC, Vidar | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC | Browse | |||
188.114.97.3 | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
gutterydhowi.shop | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Vidar | Browse |
| ||
steamcommunity.com | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
fragnantbui.shop | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Vidar | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Cobalt Strike, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Cobalt Strike, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Cobalt Strike, Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\kewyIO69TI.exe |
File Type: | |
Category: | modified |
Size (bytes): | 425 |
Entropy (8bit): | 5.353683843266035 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk |
MD5: | 859802284B12C59DDBB85B0AC64C08F0 |
SHA1: | 4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE |
SHA-256: | FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B |
SHA-512: | 8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\kewyIO69TI.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 33 |
Entropy (8bit): | 2.2845972159140855 |
Encrypted: | false |
SSDEEP: | 3:i6vvRyMivvRya:iKvHivD |
MD5: | 45B4C82B8041BF0F9CCED0D6A18D151A |
SHA1: | B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1 |
SHA-256: | 7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628 |
SHA-512: | B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.988942382031895 |
TrID: |
|
File name: | kewyIO69TI.exe |
File size: | 375'296 bytes |
MD5: | ee766f8a002bc94c1ed54dc7602547c9 |
SHA1: | 3cd317e022a72b3e7b25b3d87eecfb2fc6aafc5d |
SHA256: | aaefdf4d8df6b740054e00d65e9c56d081eaec7fe16e525b3895a6d882fb4cc0 |
SHA512: | 441a9cba71d038caca31614156c5f18f25826a5ee461f989b97519790eadaf3f19ceffcc9bf36017faf7f689ec56974d0a45872b004fd7f7d9561dd1e8a5b5b0 |
SSDEEP: | 6144:U097ZR4GXYSmClbH4yjrz5fCKdjH3avEz2cXtTM4fdCR3AkyQloBfqA27/V7jCnI:NlIOYyvz5fljH3avEXM4fdCykTohqAMo |
TLSH: | FE842374B497D73EEFA166B6B7B38FDA86B0D00141D8B24A0370970999CF239EE24754 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..f............................>.... ........@.. ....................... ............`................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x45ce3e |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66F58368 [Thu Sep 26 15:53:12 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5cde8 | 0x53 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5e000 | 0x5c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x60000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5ccb0 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x5ae44 | 0x5b000 | 4467df89ee73d7db1162edc5ecc10192 | False | 0.9936711237980769 | data | 7.995225339741643 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x5e000 | 0x5c8 | 0x600 | a589a4206018b0dca6ae47d5c97f9001 | False | 0.4375 | data | 4.119926545451393 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x60000 | 0xc | 0x200 | ef500bd10f72fd04b5e7aed0b41ff3fd | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x5e0a0 | 0x334 | data | 0.4426829268292683 | ||
RT_MANIFEST | 0x5e3d8 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5469387755102041 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:19:08.742677+0200 | 2056048 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) | 1 | 192.168.2.7 | 59462 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:08.756688+0200 | 2056164 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) | 1 | 192.168.2.7 | 52534 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:09.241941+0200 | 2056165 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) | 1 | 192.168.2.7 | 49700 | 104.21.4.136 | 443 | TCP |
2024-09-27T11:19:09.761554+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49700 | 104.21.4.136 | 443 | TCP |
2024-09-27T11:19:09.761554+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49700 | 104.21.4.136 | 443 | TCP |
2024-09-27T11:19:09.791657+0200 | 2056162 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) | 1 | 192.168.2.7 | 54428 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:10.388673+0200 | 2056163 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) | 1 | 192.168.2.7 | 49701 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:10.980022+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49701 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:10.980022+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49701 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:10.982845+0200 | 2056160 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) | 1 | 192.168.2.7 | 53004 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:11.461179+0200 | 2056161 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) | 1 | 192.168.2.7 | 49702 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:11.913044+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49702 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:11.913044+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49702 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:11.916804+0200 | 2056158 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) | 1 | 192.168.2.7 | 54688 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:12.420066+0200 | 2056159 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) | 1 | 192.168.2.7 | 49703 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:12.867203+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49703 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:12.867203+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49703 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:12.880479+0200 | 2056156 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) | 1 | 192.168.2.7 | 59089 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:13.390734+0200 | 2056157 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) | 1 | 192.168.2.7 | 49704 | 104.21.58.182 | 443 | TCP |
2024-09-27T11:19:13.818966+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49704 | 104.21.58.182 | 443 | TCP |
2024-09-27T11:19:13.818966+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49704 | 104.21.58.182 | 443 | TCP |
2024-09-27T11:19:13.822074+0200 | 2056154 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) | 1 | 192.168.2.7 | 62216 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:14.321187+0200 | 2056155 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) | 1 | 192.168.2.7 | 49705 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:14.778306+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49705 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:14.778306+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49705 | 188.114.97.3 | 443 | TCP |
2024-09-27T11:19:14.780197+0200 | 2056152 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) | 1 | 192.168.2.7 | 49493 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:15.258313+0200 | 2056153 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) | 1 | 192.168.2.7 | 49706 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:15.705280+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49706 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:15.705280+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49706 | 188.114.96.3 | 443 | TCP |
2024-09-27T11:19:15.706895+0200 | 2056150 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) | 1 | 192.168.2.7 | 55135 | 1.1.1.1 | 53 | UDP |
2024-09-27T11:19:16.189594+0200 | 2056151 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) | 1 | 192.168.2.7 | 49707 | 104.21.77.130 | 443 | TCP |
2024-09-27T11:19:16.606928+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49707 | 104.21.77.130 | 443 | TCP |
2024-09-27T11:19:16.606928+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49707 | 104.21.77.130 | 443 | TCP |
2024-09-27T11:19:18.776975+0200 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49709 | 104.21.2.13 | 443 | TCP |
2024-09-27T11:19:18.776975+0200 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49709 | 104.21.2.13 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2024 11:19:08.774766922 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:08.774848938 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:08.774914980 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:08.778871059 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:08.778898001 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:09.241782904 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:09.241940975 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:09.245635033 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:09.245656967 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:09.245915890 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:09.293956995 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:09.330127001 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:09.330127001 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:09.330297947 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:09.761573076 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:09.761666059 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:09.761907101 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:09.777127028 CEST | 49700 | 443 | 192.168.2.7 | 104.21.4.136 |
Sep 27, 2024 11:19:09.777175903 CEST | 443 | 49700 | 104.21.4.136 | 192.168.2.7 |
Sep 27, 2024 11:19:09.907802105 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:09.907866001 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:09.907960892 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:09.908525944 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:09.908539057 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.388593912 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.388673067 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:10.537415028 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:10.537456036 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.537821054 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.540781021 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:10.540781021 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:10.540894985 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.979285955 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.979371071 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.979444981 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:10.979686975 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:10.979710102 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.979721069 CEST | 49701 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:10.979727030 CEST | 443 | 49701 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.999598980 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:10.999645948 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:10.999728918 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.000171900 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.000184059 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.461108923 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.461179018 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.463076115 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.463093042 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.463392019 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.464948893 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.464950085 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.465023041 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.913062096 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.913153887 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.913213968 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.913409948 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.913429976 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.913443089 CEST | 49702 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:11.913450956 CEST | 443 | 49702 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.937189102 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:11.937226057 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:11.937696934 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:11.937696934 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:11.937731981 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.419939041 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.420066118 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:12.421864986 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:12.421875954 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.422118902 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.423351049 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:12.423388004 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:12.423427105 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.867187023 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.867274046 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.867353916 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:12.878937960 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:12.878938913 CEST | 49703 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:12.878972054 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.878983021 CEST | 443 | 49703 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:12.896917105 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:12.896970987 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:12.897085905 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:12.897356033 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:12.897367954 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.390624046 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.390733957 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:13.392246008 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:13.392256975 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.392501116 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.393594980 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:13.393620968 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:13.393650055 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.818983078 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.819077015 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.819140911 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:13.819274902 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:13.819293976 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.819307089 CEST | 49704 | 443 | 192.168.2.7 | 104.21.58.182 |
Sep 27, 2024 11:19:13.819310904 CEST | 443 | 49704 | 104.21.58.182 | 192.168.2.7 |
Sep 27, 2024 11:19:13.839633942 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:13.839678049 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:13.839766026 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:13.840064049 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:13.840085030 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.321120977 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.321187019 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:14.322717905 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:14.322725058 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.323040009 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.324187994 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:14.324224949 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:14.324258089 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.778337955 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.778580904 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.778659105 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:14.778712034 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:14.778729916 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.778753996 CEST | 49705 | 443 | 192.168.2.7 | 188.114.97.3 |
Sep 27, 2024 11:19:14.778759956 CEST | 443 | 49705 | 188.114.97.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.793091059 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:14.793135881 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:14.793206930 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:14.793519974 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:14.793536901 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.258179903 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.258312941 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:15.259841919 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:15.259860992 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.260102034 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.261233091 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:15.261262894 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:15.261303902 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.705291986 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.705390930 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.705543995 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:15.705688953 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:15.705703020 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.705718994 CEST | 49706 | 443 | 192.168.2.7 | 188.114.96.3 |
Sep 27, 2024 11:19:15.705723047 CEST | 443 | 49706 | 188.114.96.3 | 192.168.2.7 |
Sep 27, 2024 11:19:15.724312067 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:15.724339008 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:15.724508047 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:15.724730015 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:15.724739075 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.189388037 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.189594030 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:16.191030979 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:16.191042900 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.191325903 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.192579985 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:16.192606926 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:16.192662954 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.606952906 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.607198954 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.607279062 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:16.607371092 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:16.607398033 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.607413054 CEST | 49707 | 443 | 192.168.2.7 | 104.21.77.130 |
Sep 27, 2024 11:19:16.607419014 CEST | 443 | 49707 | 104.21.77.130 | 192.168.2.7 |
Sep 27, 2024 11:19:16.616328955 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:16.616378069 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:16.616453886 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:16.616790056 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:16.616806030 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.263047934 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.263138056 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.264866114 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.264874935 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.265222073 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.266403913 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.311408043 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.745685101 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.745743036 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.745784998 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.745789051 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.745811939 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.745845079 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.745878935 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.846967936 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.847024918 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.847098112 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.847120047 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.847153902 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.847168922 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.852453947 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.852539062 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.852545977 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.852588892 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.852642059 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.852705002 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.852770090 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.852787971 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.852849960 CEST | 49708 | 443 | 192.168.2.7 | 104.102.49.254 |
Sep 27, 2024 11:19:17.852855921 CEST | 443 | 49708 | 104.102.49.254 | 192.168.2.7 |
Sep 27, 2024 11:19:17.868069887 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:17.868117094 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:17.868186951 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:17.868506908 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:17.868522882 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:18.361959934 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:18.362087011 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:18.364015102 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:18.364027977 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:18.364305019 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:18.365511894 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:18.365536928 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:18.365588903 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:18.776984930 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:18.777084112 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:18.777132988 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:18.780220985 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:18.780242920 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Sep 27, 2024 11:19:18.780255079 CEST | 49709 | 443 | 192.168.2.7 | 104.21.2.13 |
Sep 27, 2024 11:19:18.780265093 CEST | 443 | 49709 | 104.21.2.13 | 192.168.2.7 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2024 11:19:08.742676973 CEST | 59462 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:08.752720118 CEST | 53 | 59462 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:08.756688118 CEST | 52534 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:08.769135952 CEST | 53 | 52534 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:09.791656971 CEST | 54428 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:09.806864023 CEST | 53 | 54428 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:10.982845068 CEST | 53004 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:10.998209953 CEST | 53 | 53004 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:11.916804075 CEST | 54688 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:11.931961060 CEST | 53 | 54688 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:12.880479097 CEST | 59089 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:12.894628048 CEST | 53 | 59089 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:13.822073936 CEST | 62216 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:13.838804960 CEST | 53 | 62216 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:14.780196905 CEST | 49493 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:14.792385101 CEST | 53 | 49493 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:15.706895113 CEST | 55135 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:15.723588943 CEST | 53 | 55135 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:16.608776093 CEST | 63673 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:16.615581989 CEST | 53 | 63673 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:17.854218006 CEST | 61104 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 27, 2024 11:19:17.867294073 CEST | 53 | 61104 | 1.1.1.1 | 192.168.2.7 |
Sep 27, 2024 11:19:52.927088022 CEST | 53 | 62908 | 162.159.36.2 | 192.168.2.7 |
Sep 27, 2024 11:19:54.049200058 CEST | 53 | 49755 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 27, 2024 11:19:08.742676973 CEST | 192.168.2.7 | 1.1.1.1 | 0x610e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:08.756688118 CEST | 192.168.2.7 | 1.1.1.1 | 0x8e84 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:09.791656971 CEST | 192.168.2.7 | 1.1.1.1 | 0xbba1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:10.982845068 CEST | 192.168.2.7 | 1.1.1.1 | 0xc113 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:11.916804075 CEST | 192.168.2.7 | 1.1.1.1 | 0x90ec | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:12.880479097 CEST | 192.168.2.7 | 1.1.1.1 | 0x1a69 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:13.822073936 CEST | 192.168.2.7 | 1.1.1.1 | 0x6321 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:14.780196905 CEST | 192.168.2.7 | 1.1.1.1 | 0x34b5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:15.706895113 CEST | 192.168.2.7 | 1.1.1.1 | 0x79df | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:16.608776093 CEST | 192.168.2.7 | 1.1.1.1 | 0xb031 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:17.854218006 CEST | 192.168.2.7 | 1.1.1.1 | 0x9669 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 27, 2024 11:19:08.752720118 CEST | 1.1.1.1 | 192.168.2.7 | 0x610e | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Sep 27, 2024 11:19:08.769135952 CEST | 1.1.1.1 | 192.168.2.7 | 0x8e84 | No error (0) | 104.21.4.136 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:08.769135952 CEST | 1.1.1.1 | 192.168.2.7 | 0x8e84 | No error (0) | 172.67.132.32 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:09.806864023 CEST | 1.1.1.1 | 192.168.2.7 | 0xbba1 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:09.806864023 CEST | 1.1.1.1 | 192.168.2.7 | 0xbba1 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:10.998209953 CEST | 1.1.1.1 | 192.168.2.7 | 0xc113 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:10.998209953 CEST | 1.1.1.1 | 192.168.2.7 | 0xc113 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:11.931961060 CEST | 1.1.1.1 | 192.168.2.7 | 0x90ec | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:11.931961060 CEST | 1.1.1.1 | 192.168.2.7 | 0x90ec | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:12.894628048 CEST | 1.1.1.1 | 192.168.2.7 | 0x1a69 | No error (0) | 104.21.58.182 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:12.894628048 CEST | 1.1.1.1 | 192.168.2.7 | 0x1a69 | No error (0) | 172.67.162.108 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:13.838804960 CEST | 1.1.1.1 | 192.168.2.7 | 0x6321 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:13.838804960 CEST | 1.1.1.1 | 192.168.2.7 | 0x6321 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:14.792385101 CEST | 1.1.1.1 | 192.168.2.7 | 0x34b5 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:14.792385101 CEST | 1.1.1.1 | 192.168.2.7 | 0x34b5 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:15.723588943 CEST | 1.1.1.1 | 192.168.2.7 | 0x79df | No error (0) | 104.21.77.130 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:15.723588943 CEST | 1.1.1.1 | 192.168.2.7 | 0x79df | No error (0) | 172.67.208.139 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:16.615581989 CEST | 1.1.1.1 | 192.168.2.7 | 0xb031 | No error (0) | 104.102.49.254 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:17.867294073 CEST | 1.1.1.1 | 192.168.2.7 | 0x9669 | No error (0) | 104.21.2.13 | A (IP address) | IN (0x0001) | false | ||
Sep 27, 2024 11:19:17.867294073 CEST | 1.1.1.1 | 192.168.2.7 | 0x9669 | No error (0) | 172.67.128.144 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.7 | 49700 | 104.21.4.136 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:09 UTC | 264 | OUT | |
2024-09-27 09:19:09 UTC | 8 | OUT | |
2024-09-27 09:19:09 UTC | 782 | IN | |
2024-09-27 09:19:09 UTC | 15 | IN | |
2024-09-27 09:19:09 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.7 | 49701 | 188.114.96.3 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:10 UTC | 264 | OUT | |
2024-09-27 09:19:10 UTC | 8 | OUT | |
2024-09-27 09:19:10 UTC | 784 | IN | |
2024-09-27 09:19:10 UTC | 15 | IN | |
2024-09-27 09:19:10 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.7 | 49702 | 188.114.96.3 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:11 UTC | 266 | OUT | |
2024-09-27 09:19:11 UTC | 8 | OUT | |
2024-09-27 09:19:11 UTC | 812 | IN | |
2024-09-27 09:19:11 UTC | 15 | IN | |
2024-09-27 09:19:11 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.7 | 49703 | 188.114.97.3 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:12 UTC | 263 | OUT | |
2024-09-27 09:19:12 UTC | 8 | OUT | |
2024-09-27 09:19:12 UTC | 768 | IN | |
2024-09-27 09:19:12 UTC | 15 | IN | |
2024-09-27 09:19:12 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.7 | 49704 | 104.21.58.182 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:13 UTC | 263 | OUT | |
2024-09-27 09:19:13 UTC | 8 | OUT | |
2024-09-27 09:19:13 UTC | 776 | IN | |
2024-09-27 09:19:13 UTC | 15 | IN | |
2024-09-27 09:19:13 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.7 | 49705 | 188.114.97.3 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:14 UTC | 263 | OUT | |
2024-09-27 09:19:14 UTC | 8 | OUT | |
2024-09-27 09:19:14 UTC | 760 | IN | |
2024-09-27 09:19:14 UTC | 15 | IN | |
2024-09-27 09:19:14 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.7 | 49706 | 188.114.96.3 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:15 UTC | 265 | OUT | |
2024-09-27 09:19:15 UTC | 8 | OUT | |
2024-09-27 09:19:15 UTC | 774 | IN | |
2024-09-27 09:19:15 UTC | 15 | IN | |
2024-09-27 09:19:15 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.7 | 49707 | 104.21.77.130 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:16 UTC | 263 | OUT | |
2024-09-27 09:19:16 UTC | 8 | OUT | |
2024-09-27 09:19:16 UTC | 764 | IN | |
2024-09-27 09:19:16 UTC | 15 | IN | |
2024-09-27 09:19:16 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
8 | 192.168.2.7 | 49708 | 104.102.49.254 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:17 UTC | 219 | OUT | |
2024-09-27 09:19:17 UTC | 1870 | IN | |
2024-09-27 09:19:17 UTC | 14514 | IN | |
2024-09-27 09:19:17 UTC | 16384 | IN | |
2024-09-27 09:19:17 UTC | 3765 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
9 | 192.168.2.7 | 49709 | 104.21.2.13 | 443 | 1448 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-09-27 09:19:18 UTC | 261 | OUT | |
2024-09-27 09:19:18 UTC | 8 | OUT | |
2024-09-27 09:19:18 UTC | 770 | IN | |
2024-09-27 09:19:18 UTC | 15 | IN | |
2024-09-27 09:19:18 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 05:19:07 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\Desktop\kewyIO69TI.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x850000 |
File size: | 375'296 bytes |
MD5 hash: | EE766F8A002BC94C1ED54DC7602547C9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 05:19:07 |
Start date: | 27/09/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75da10000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 05:19:07 |
Start date: | 27/09/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x460000 |
File size: | 65'440 bytes |
MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 05:19:07 |
Start date: | 27/09/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x910000 |
File size: | 65'440 bytes |
MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 20.7% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 36.4% |
Total number of Nodes: | 22 |
Total number of Limit Nodes: | 0 |
Graph
Callgraph
Function 02CF2155 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01200C40 Relevance: .3, Instructions: 322COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01201218 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01201220 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 1.2% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 47.2% |
Total number of Nodes: | 125 |
Total number of Limit Nodes: | 11 |
Graph
Function 0040D470 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 153threadCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00447AC9 Relevance: 5.3, Strings: 4, Instructions: 253COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004476D0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00447E1B Relevance: 1.3, Strings: 1, Instructions: 97COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00447D38 Relevance: .5, Instructions: 487COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F807 Relevance: .4, Instructions: 390COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F042 Relevance: .3, Instructions: 268COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044445C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444470 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00447130 Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444490 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041E71A Relevance: 30.0, Strings: 23, Instructions: 1251COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00439BD0 Relevance: 29.8, APIs: 6, Strings: 11, Instructions: 99clipboardCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00429978 Relevance: 24.3, Strings: 19, Instructions: 551COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004404AB Relevance: 19.9, APIs: 8, Strings: 3, Instructions: 644memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401000 Relevance: 10.7, Strings: 7, Instructions: 1914COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040FA20 Relevance: 7.9, Strings: 6, Instructions: 380COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004338C0 Relevance: 7.5, Strings: 5, Instructions: 1246COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00433623 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041FFD8 Relevance: 4.2, Strings: 3, Instructions: 450COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00427230 Relevance: 4.2, Strings: 3, Instructions: 429COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00420A70 Relevance: 4.1, Strings: 3, Instructions: 397COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042FE26 Relevance: 4.1, Strings: 3, Instructions: 362COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00421AD0 Relevance: 3.0, Strings: 2, Instructions: 527COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042CAD0 Relevance: 2.8, Strings: 2, Instructions: 344COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00440A70 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004452E0 Relevance: 1.9, Strings: 1, Instructions: 662COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00413EEC Relevance: 1.8, Strings: 1, Instructions: 559COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00426FC0 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004314A0 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00449620 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0042DFE0 Relevance: 1.6, Strings: 1, Instructions: 313COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00434629 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00448D80 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00448B90 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00425030 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044B320 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C1C0 Relevance: .8, Instructions: 778COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407450 Relevance: .7, Instructions: 658COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044A510 Relevance: .4, Instructions: 415COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00449D22 Relevance: .3, Instructions: 334COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004142E4 Relevance: .3, Instructions: 323COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044B430 Relevance: .3, Instructions: 284COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F7E3 Relevance: .3, Instructions: 255COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00445DE0 Relevance: .2, Instructions: 216COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444970 Relevance: .2, Instructions: 206COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040F63A Relevance: .2, Instructions: 176COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00444BC0 Relevance: .2, Instructions: 172COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00405CF0 Relevance: .2, Instructions: 163COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044B010 Relevance: .1, Instructions: 137COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0044B1A0 Relevance: .1, Instructions: 134COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00435519 Relevance: .1, Instructions: 124COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00414692 Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043FE90 Relevance: .1, Instructions: 98COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404CB0 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043BFF0 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00430CC0 Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0043910C Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041AB90 Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00442410 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|