Edit tour
Windows
Analysis Report
Documenti di spedizione.bat.exe
Overview
General Information
| Sample name: | Documenti di spedizione.bat.exe |
| Analysis ID: | 1538406 |
| MD5: | c2d72d131fe371481a0cc117bb835f23 |
| SHA1: | dd736a4b716d790f1a3b304f265530399e0646aa |
| SHA256: | d5ee11c69acd2903e1d9b6f6b59aabbd66d9a38430fe4a020d48b18707afb9b8 |
| Tags: | exeSPAM-ITAuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
AgentTesla, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Documenti di spedizione.bat.exe (PID: 1216 cmdline: "C:\Users\ user\Deskt op\Documen ti di sped izione.bat .exe" MD5: C2D72D131FE371481A0CC117BB835F23) - Documenti di spedizione.bat.exe (PID: 6360 cmdline:
"C:\Users\ user\Deskt op\Documen ti di sped izione.bat .exe" MD5: C2D72D131FE371481A0CC117BB835F23)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-21T08:25:12.066632+0200 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.5 | 64702 | 84.38.129.16 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040270B | |
| Source: | Code function: | 0_2_004061FB | |
| Source: | Code function: | 0_2_00405799 | |
| Source: | Code function: | 4_2_0040270B | |
| Source: | Code function: | 4_2_004061FB | |
| Source: | Code function: | 4_2_00405799 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0040524E | |
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_004032BF | |
| Source: | Code function: | 4_2_004032BF | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406542 | |
| Source: | Code function: | 0_2_00404A8D | |
| Source: | Code function: | 4_2_00406542 | |
| Source: | Code function: | 4_2_00404A8D | |
| Source: | Code function: | 4_2_000D4188 | |
| Source: | Code function: | 4_2_000DA214 | |
| Source: | Code function: | 4_2_000D4A58 | |
| Source: | Code function: | 4_2_000DAAAB | |
| Source: | Code function: | 4_2_000D3E40 | |
| Source: | Code function: | 4_2_38CEBB90 | |
| Source: | Code function: | 4_2_38CEA7DC | |
| Source: | Code function: | 4_2_38CF3158 | |
| Source: | Code function: | 4_2_38CF0040 | |
| Source: | Code function: | 4_2_38CFE468 | |
| Source: | Code function: | 4_2_38CF7760 | |
| Source: | Code function: | 4_2_39202B98 | |
| Source: | Code function: | 4_2_38CF0038 | |
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004032BF | |
| Source: | Code function: | 4_2_004032BF | |
| Source: | Code function: | 0_2_0040451A | |
| Source: | Code function: | 0_2_004020CD | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_10001A5D | |
| Source: | Code function: | 0_2_10002D4E | |
| Source: | Code function: | 4_2_000D0C7A | |
| Source: | Code function: | 4_2_38CF604E | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_0040270B | |
| Source: | Code function: | 0_2_004061FB | |
| Source: | Code function: | 0_2_00405799 | |
| Source: | Code function: | 4_2_0040270B | |
| Source: | Code function: | 4_2_004061FB | |
| Source: | Code function: | 4_2_00405799 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-4889 | ||
| Source: | API call chain: | graph_0-4896 | ||
| Source: | Code function: | 0_2_10001A5D | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405F19 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 4 File and Directory Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 1 Deobfuscate/Decode Files or Information | 1 Credentials in Registry | 226 System Information Discovery | Remote Desktop Protocol | 2 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 11 Process Injection | 2 Obfuscated Files or Information | Security Account Manager | 311 Security Software Discovery | SMB/Windows Admin Shares | 1 Email Collection | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 141 Virtualization/Sandbox Evasion | Distributed Component Object Model | 1 Clipboard Data | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Masquerading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 141 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 System Network Configuration Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 11 Process Injection | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 15% | Virustotal | Browse | ||
| 13% | ReversingLabs | |||
| 100% | Avira | HEUR/AGEN.1338492 | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 3% | Virustotal | Browse | ||
| 6% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| api.ipify.org | 104.26.13.205 | true | false |
| unknown |
| concaribe.com | 192.185.13.234 | true | true |
| unknown |
| ftp.concaribe.com | unknown | unknown | true |
| unknown |
| 171.39.242.20.in-addr.arpa | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| true | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.26.13.205 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 192.185.13.234 | concaribe.com | United States | 46606 | UNIFIEDLAYER-AS-1US | true | |
| 84.38.129.16 | unknown | Latvia | 203557 | DATACLUB-NL | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1538406 |
| Start date and time: | 2024-10-21 08:23:06 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 42s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Documenti di spedizione.bat.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/18@3/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 02:25:14 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.26.13.205 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | RDPWrap Tool | Browse |
| ||
| Get hash | malicious | Node Stealer | Browse |
| ||
| Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC, RDPWrap Tool, LummaC Stealer, Vidar | Browse |
| ||
| 192.185.13.234 | Get hash | malicious | AgentTesla, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| api.ipify.org | Get hash | malicious | Quasar | Browse |
| |
| Get hash | malicious | PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| |
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc | Browse |
| ||
| UNIFIEDLAYER-AS-1US | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Captcha Phish | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Mamba2FA | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| DATACLUB-NL | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Cobalt Strike, Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsgDADD.tmp\System.dll | Get hash | malicious | GuLoader, Snake Keylogger | Browse | ||
| Get hash | malicious | AgentTesla, GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 42 |
| Entropy (8bit): | 3.9726590202682766 |
| Encrypted: | false |
| SSDEEP: | 3:guTWyXRAK4vn:TzRAKi |
| MD5: | 276D6E1D94791E4BC828A3B5F04A73EA |
| SHA1: | 4665FD1D7598D3D751B5232BBB0859123D79A3BE |
| SHA-256: | 812A9FCAACC7A28EBA4FA5EDB16AE49DD9BBFECFC112E5957C984BC4A50F7304 |
| SHA-512: | F8A6F577DE29F60997EAB5F032C6CAF6C2565C8E018EDDD88900DFF17062CCA7D2B6BA30844F8A7A0DB4759056481F6C1D290C99378E8C540031B3C3E008E8DE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Directdiscourse.Mrk
Download File
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 100910 |
| Entropy (8bit): | 4.6136825228526845 |
| Encrypted: | false |
| SSDEEP: | 1536:hUL2eODkXBisy4uA2vOqMkkETeiknT0fouNyGZkI67AxzVUT0f3Wz06Vf+:OyeKMB9y4h2SM0nuNnxP6Tg3W1+ |
| MD5: | 0CDD72DC4C52FC3E3679087A86475EC7 |
| SHA1: | 086083A90B709250B42C54ED9080ECECD5702610 |
| SHA-256: | 97DAB1CE75FCD484894E8B9C653ECB4609412ADBFD56CF4D352E4F8ED672963A |
| SHA-512: | F7A36729504B8D94C188AC80214993F7D780C7431DAA2163CA6BD304BFA57DCE5160B8AAF7DA422E4A53067349D8412EC70685A9BDE9C321E9ABE93C3AB701ED |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 438667 |
| Entropy (8bit): | 1.2554285943940462 |
| Encrypted: | false |
| SSDEEP: | 1536:WQqatwb3BquFonZ0MZGDfw/Ams7/cTCDEhqR9:prwTBq1ZPGD4/xsDEh8 |
| MD5: | 1EF716DEB3AD336E09ABC68798EEFB78 |
| SHA1: | 15E56DD29E83D44626E46F219AA1EFC8FEC6FB73 |
| SHA-256: | 6401066B34D5FD3C9103C01112200E109A78A3DC584B7E55392B7A45020A76B0 |
| SHA-512: | 6BD0842FE87E9C7467249673485392D1A718B84A757BE8AB94F4323F5BE358C0975A7E5BC4F74AF2EF69F5DB46AD00DCE3DDA9BBD20C2A6CE9D364883A40E7F9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Kavalerens188.equ
Download File
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 419878 |
| Entropy (8bit): | 1.2587845148762749 |
| Encrypted: | false |
| SSDEEP: | 1536:iKHVhskoaFMrwPuNqw8hbEZ1EvgaKCiIklf3:JHcP9+w8hb8IQ |
| MD5: | 93C85B7E4C86F442491FF2D5F5B3FE0B |
| SHA1: | 893EE5DC579DA377DCE95F9DECAF57438F967112 |
| SHA-256: | 7D60978D18793A119BB47B0D702E2D1EFAE28514EB46E9F96D75BB6FDA4ECF99 |
| SHA-512: | A0D6B52554F688E47986FFA6B3885393F47A5D51895DC40219BDB1C838609755B1A801E446B926B44AB6C2F4B8A05A183D3C6BBF0D16CA84802CB5DBCA1581C9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 513 |
| Entropy (8bit): | 4.312755423928167 |
| Encrypted: | false |
| SSDEEP: | 12:iN2DyKkMNtYdKYK90GbzE1gcaAy6AGb0CY3EoAAV:iYDZBGILeGzAy6jbts |
| MD5: | 3A44600B8B24F5CC7EF13B014C5FC8E6 |
| SHA1: | DABC64C2788C61476C159BF60E27A0385B761223 |
| SHA-256: | 037EE7216549B3D566F3D53E5801D45ADACF332F937FB43BD5A5E3F0DF9662A6 |
| SHA-512: | 02985E9F575B10700A6C8FE167DB6EBD81E1B8DE758DFAB47BB01AB7FE568525C17E933AA2DB98673E1A43EB3EF63CAB6E97D59FE1B1D52E3484737E0D9B4CBE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Subarachnoid\Protaspis.sol
Download File
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 305301 |
| Entropy (8bit): | 1.2617727746454932 |
| Encrypted: | false |
| SSDEEP: | 768:OFl7dydtg1PEAqjKsB0peIl0LVJmpGgJQZwWmkYvYTDjBlqndyzkEV5ndnGVa76E:hdKCZmTCLm4TyycJrcYKLdL59NBGa |
| MD5: | EADA66A6285325455F7E0780C000CB65 |
| SHA1: | 125A71ABF2ADCCFE6E4BB3D7BF80CAC064F71690 |
| SHA-256: | D1E27B338C60688975AE1BB239D860E30490A7FEB5AEB1DF1DAD87244DD073AC |
| SHA-512: | 669BA190147018B4CBA35D6CDE23D00683E73DE0C70B60C1AA03EDEC2C7CC629DA73A7495DB05CF4151E100C339C76AFD87A3D179FE98045ED38B02A7A478FB1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Subarachnoid\barbecue.ste
Download File
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 302102 |
| Entropy (8bit): | 1.2507376038892632 |
| Encrypted: | false |
| SSDEEP: | 768:+0WlDZ0cyMp2n0GbzqUGvbn/eHiEmNAXxM4cCQHkR1WuFkHnvVG26UZRR15NykM4:b0/vvkPqdcKMyJAnrZpdZ |
| MD5: | 43EB990B1BE1B4570969A310174D319F |
| SHA1: | BEAE29DB714C0576F1BA9256E64F1A0A015B3E84 |
| SHA-256: | 6884CDA80715F73C9D9AA9AD45B9BDE3D9965D2009270BA685B30DD21421C04D |
| SHA-512: | C0FBE88619A7BC3BB8F6CBC8B77B4C1E21A2AFB8A92B1DF4324C20980C5CF6362CB75B7D065391437147BA746A933EBBD51167E4DF2B94477298A87331E15C75 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Subarachnoid\paradiset.cho
Download File
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 398964 |
| Entropy (8bit): | 1.2601730304396117 |
| Encrypted: | false |
| SSDEEP: | 1536:qIRuZM0E+SCsypSaDWDKQreAN/Ge8+QM8+cj4WHOlXtZ:pRuPs3DKYc5+QM1KW |
| MD5: | 34495288F83EB902AC00567354E11253 |
| SHA1: | F421E0A307361C05A9534639D2B3A446F4673BAF |
| SHA-256: | F917E97748DEE607ABCC405FA70D7614B2F96675914B64AE7FD6AC299BCF220B |
| SHA-512: | E2DE646C75526DDA1B22AEBFF7B7991DEC89D351012FA21D925046EF5DD78ABD2D999ACAAE7C8BA33747480D3C921CDAB05D98839AF3A552063070A3B4C48496 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\Subarachnoid\saddleback.jer
Download File
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 241857 |
| Entropy (8bit): | 1.2492742831199217 |
| Encrypted: | false |
| SSDEEP: | 768:kn4C0nabowYKKucVjMHtvH3Eq1Zg5c+0o4u1uLlOxRuYP9aVsVL/e3ec6Axhe7rO:zAzhHNuZla85OxXCm |
| MD5: | FB3375E7CB0698DF507062161A26885F |
| SHA1: | 5E98C5E6F50A1B57B1E72B412D9632603FF954EF |
| SHA-256: | EB781B87F06CBBB43E36413F70A97528DFF827A3DA9575E56142324F9CF43477 |
| SHA-512: | 949FB9F863EB2EC85B84C4DB3E4EA023F1C3FC09CB79FE52B58569C616FC28F2E0D095DB535C3B80EF44CE4F75EA4752313F4F20A3E3A61E49163FCE8078B79B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously\distortionless.Ska
Download File
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 387139 |
| Entropy (8bit): | 7.029080344859661 |
| Encrypted: | false |
| SSDEEP: | 6144:DKJqy+wdTormUTsLnezqBg7Eg/XicZi0Ikufi+k:DryBdETsLezqAXiUi+ |
| MD5: | 85FC6CABF335CE81CBAE00B602A9EEB1 |
| SHA1: | ABE79A178FCFF6F54785BF739B5B3DA2C5DDD335 |
| SHA-256: | 0FE88C31B5927FF5D298B958B8249F73932CD0626BE40BC4F0C53E4C1FEE194B |
| SHA-512: | 2E9B68C198E5A0D2BA42013FCB1EE49C3378916383EE6709E7D4E8CFF072D3778597BB0C89ACA44BF9A8551B8D5D92E7BB5ECE6D771710CBA7E1BC319A5A3D99 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 30 |
| Entropy (8bit): | 4.256564762130954 |
| Encrypted: | false |
| SSDEEP: | 3:DyWgLQIfLBJXmgU:mkIP25 |
| MD5: | F15BFDEBB2DF02D02C8491BDE1B4E9BD |
| SHA1: | 93BD46F57C3316C27CAD2605DDF81D6C0BDE9301 |
| SHA-256: | C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043 |
| SHA-512: | 1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11264 |
| Entropy (8bit): | 5.7711167426271945 |
| Encrypted: | false |
| SSDEEP: | 192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn |
| MD5: | 3F176D1EE13B0D7D6BD92E1C7A0B9BAE |
| SHA1: | FE582246792774C2C9DD15639FFA0ACA90D6FD0B |
| SHA-256: | FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E |
| SHA-512: | 0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 56 |
| Entropy (8bit): | 4.250903860294566 |
| Encrypted: | false |
| SSDEEP: | 3:sAAEVvjsUjXRJ8VL84n:fLXrv8P |
| MD5: | 1B6DC57065799BCB1BF29C6C14892FEA |
| SHA1: | 6569CBC8651ADFD9A73667DE6915DE2FB17C45F0 |
| SHA-256: | 2C587AD3A444FDC29A480B76A140CC9ACE7CB887EB62B57073A2BA14B9E6C06A |
| SHA-512: | 959C12B4407A8648091E0B754705C12AE0918A07D7E82BD1524DA3A74859409AC0DE0C32FAF0667A86D2A00B30F40CD743F7FE5E0D5D7BDFD4C27AECE86A4EB0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60 |
| Entropy (8bit): | 4.456297888280895 |
| Encrypted: | false |
| SSDEEP: | 3:sEMBQEJkJVEjzXRJ2F3WxQoXUn:Uv2F3WxvUn |
| MD5: | 2EB7EED4B759B0203446B88DB44C52E7 |
| SHA1: | 39392DA939C9F29AB79A0F71BA3DDE628E4F7449 |
| SHA-256: | F87673D947A448A21D48AAA02C39AAD5EA28B8AD68CEAAC4A3A75DC5563558C5 |
| SHA-512: | 992D2B6E83165064D985D76B67A4021C944C97D6A8407DD1D7E44A9290A00E937EAD4ECB0ED2C7487A43797E3BE80D77C657DB663F3C423A6D351D51752D9C57 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 52 |
| Entropy (8bit): | 4.0914493934217315 |
| Encrypted: | false |
| SSDEEP: | 3:sBa99k1NoCFOn:KankVg |
| MD5: | 5D04A35D3950677049C7A0CF17E37125 |
| SHA1: | CAFDD49A953864F83D387774B39B2657A253470F |
| SHA-256: | A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266 |
| SHA-512: | C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 74 |
| Entropy (8bit): | 3.9637832956585757 |
| Encrypted: | false |
| SSDEEP: | 3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D |
| MD5: | 16D513397F3C1F8334E8F3E4FC49828F |
| SHA1: | 4EE15AFCA81CA6A13AF4E38240099B730D6931F0 |
| SHA-256: | D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36 |
| SHA-512: | 4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2623208 |
| Entropy (8bit): | 2.6871493218639917 |
| Encrypted: | false |
| SSDEEP: | 12288:WryBdETsLezqAXiUinv0SMGP6gvBse+tJ:rBGTaezziUoYwBse+7 |
| MD5: | AB67B6E0CF3F443E1232C647766CC6D5 |
| SHA1: | 761BD09E383907B0A575EC48F7E07C0243E39289 |
| SHA-256: | 39342F9D01E1A2E478A8484EEB2F1624C39E0A8F7528146C91C8A416F3A0A12F |
| SHA-512: | 06F2D3B9CB14E5C0B76022FEEDBF130B8F5A58F35D559FBE1AF7802DB66A3439BDCC44B57570FEDA4EEA89B6D2504FAE331CDB3BB265AF8521DDDD5BAA5FE00E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1328 |
| Entropy (8bit): | 3.1387620248712413 |
| Encrypted: | false |
| SSDEEP: | 24:8JvaRkD4/BPefDbDLqizZYpbDyizZeiQ5HALqy:8oRkDsxy/DLqiNwDyiNlGAOy |
| MD5: | 00B633B3058EB6B6ED779B0F83D7B527 |
| SHA1: | 7DF1967B9062572EB90E3FA55CA8E1F2A9452634 |
| SHA-256: | 45A8D19A59C6CD5A7EE6E1A547236CB0C816C4E0644A4605031A8EFFB45B56A4 |
| SHA-512: | 3FA7F8256017FC3E7DF736D634001AAC64120858F0171560993590FFA7B34EDC1FA39BA4E5A980A0EEE5E2D9D024E4D1AC195B300994E4CF0EC9114E4B544783 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.277864141975884 |
| TrID: |
|
| File name: | Documenti di spedizione.bat.exe |
| File size: | 1'007'169 bytes |
| MD5: | c2d72d131fe371481a0cc117bb835f23 |
| SHA1: | dd736a4b716d790f1a3b304f265530399e0646aa |
| SHA256: | d5ee11c69acd2903e1d9b6f6b59aabbd66d9a38430fe4a020d48b18707afb9b8 |
| SHA512: | 79c15f7b54322f2843f203a99605b5cdfd6a0a3fe41bf9265808a266d1c68d099f3fab8354a0d87e53eb673b101ca211a422748c232c725cadb3f4ebf6c9ce39 |
| SSDEEP: | 24576:co8RUr/5+1z5qy4liClnpwWcw0r0ye66RnKUgGEM71KOx5hw:ch+/0qygxlpvAGOsKOm |
| TLSH: | 0125F1E2F38045A6F4790936888BC2E152F0EDE29E421A57137CF36D1DB32D1465BDBA |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...5.MX.................`......... |
 | |
| Icon Hash: | 2f6b71f16d4c71b3 |
| Entrypoint: | 0x4032bf |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x584DCA35 [Sun Dec 11 21:50:45 2016 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 4f67aeda01a0484282e8c59006b0b352 |
| Instruction |
|---|
| sub esp, 00000184h |
| push ebx |
| push esi |
| push edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+18h], ebx |
| mov dword ptr [esp+10h], 00409130h |
| mov dword ptr [esp+20h], ebx |
| mov byte ptr [esp+14h], 00000020h |
| call dword ptr [00407120h] |
| call dword ptr [004070ACh] |
| cmp ax, 00000006h |
| je 00007FF0F50165B3h |
| push ebx |
| call 00007FF0F5019539h |
| cmp eax, ebx |
| je 00007FF0F50165A9h |
| push 00000C00h |
| call eax |
| mov esi, 00407298h |
| push esi |
| call 00007FF0F50194B5h |
| push esi |
| call dword ptr [004070A8h] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], bl |
| jne 00007FF0F501658Dh |
| push ebp |
| push 00000009h |
| call 00007FF0F501950Ch |
| push 00000007h |
| call 00007FF0F5019505h |
| mov dword ptr [00423724h], eax |
| call dword ptr [00407044h] |
| push ebx |
| call dword ptr [00407288h] |
| mov dword ptr [004237D8h], eax |
| push ebx |
| lea eax, dword ptr [esp+38h] |
| push 00000160h |
| push eax |
| push ebx |
| push 0041ECF0h |
| call dword ptr [00407174h] |
| push 004091ECh |
| push 00422F20h |
| call 00007FF0F501912Fh |
| call dword ptr [004070A4h] |
| mov ebp, 00429000h |
| push eax |
| push ebp |
| call 00007FF0F501911Dh |
| push ebx |
| call dword ptr [00407154h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7428 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x47000 | 0x42ba0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x298 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5e59 | 0x6000 | 1892c55874b94ef60ac62cf77f0ecd0e | False | 0.6585693359375 | data | 6.424194540104456 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x7000 | 0x1246 | 0x1400 | 6389f916226544852e494114faf192ad | False | 0.4271484375 | data | 5.0003960999706765 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x9000 | 0x1a818 | 0x400 | f02c8b5709d3fb8c6cc1ab777c138d8f | False | 0.6455078125 | data | 5.211928615453691 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x24000 | 0x23000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x47000 | 0x42ba0 | 0x42c00 | cb7fd179fd9ca3f4757b01d96679c1b0 | False | 0.21076559573970038 | data | 3.8403807556058642 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x47208 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 270336 | English | United States | 0.20773293487587655 |
| RT_DIALOG | 0x89230 | 0x144 | data | English | United States | 0.5216049382716049 |
| RT_DIALOG | 0x89378 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x89478 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x89598 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x895f8 | 0x14 | data | English | United States | 1.1 |
| RT_VERSION | 0x89610 | 0x24c | data | English | United States | 0.5357142857142857 |
| RT_MANIFEST | 0x89860 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc |
| USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
| GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
| SHELL32.dll | SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA |
| ADVAPI32.dll | RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
| COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
| ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-21T08:25:12.066632+0200 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.5 | 64702 | 84.38.129.16 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 21, 2024 08:25:11.203861952 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:11.208935022 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:11.209048033 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:11.209271908 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:11.214044094 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.066445112 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.066463947 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.066476107 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.066488028 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.066500902 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.066512108 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.066632032 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.193813086 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.193834066 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.193845034 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.193855047 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.193867922 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.193886995 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.194015026 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.194025993 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.194036007 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.194050074 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.194066048 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.194077969 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.194353104 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.194364071 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.194375038 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.194432020 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.194432020 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.317609072 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.317636013 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.317651033 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.317662001 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.317682028 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.317720890 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.317790031 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.317795992 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.317801952 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.317816019 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.317853928 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.317893028 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.318156004 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.318166971 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.318181992 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.318202019 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.318212986 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.318212986 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.318244934 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.318262100 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.437423944 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.437444925 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.437460899 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.437472105 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.437482119 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.437505960 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.437505960 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.437506914 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.437601089 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.442065001 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442075014 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442125082 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442135096 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442167044 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.442167044 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.442348957 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442358971 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442368984 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442378998 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442399979 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.442430019 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.442847013 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442856073 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.442898989 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.557672977 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.557696104 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.557708025 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.557718039 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.557729959 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.557859898 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.557859898 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.557859898 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.562184095 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.562194109 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.562205076 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.562242985 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.562279940 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.562303066 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.562344074 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.562350035 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.562354088 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.562398911 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.565676928 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.565696001 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.565728903 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.565730095 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.602674007 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.602710962 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.602716923 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.602721930 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.603013992 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.677680016 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.677697897 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.677714109 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.677725077 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.677737951 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.677923918 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.677923918 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.682281971 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.682292938 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.682302952 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.682313919 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.682394981 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.685684919 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.685704947 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.685715914 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.685755968 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.685755968 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.722908020 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.722927094 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.722948074 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.722958088 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.723062992 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.723138094 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.797547102 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.797564983 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.797575951 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.797585964 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.797600031 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.797755003 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.797755003 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.802192926 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.802370071 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.802381992 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.802392960 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.802428961 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.802460909 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.805583954 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.805640936 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.805651903 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.805691004 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.842737913 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.842747927 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.842757940 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.842920065 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.842920065 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.842966080 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.842976093 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.843030930 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.917577028 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.917598963 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.917610884 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.917620897 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.917633057 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.917644978 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.917804956 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.917804956 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.922257900 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.922269106 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.922278881 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.922290087 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.922419071 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.925401926 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.925465107 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.925467014 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.925520897 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.962690115 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.962714911 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.962759018 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.962769985 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.962780952 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.962793112 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:12.962941885 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:12.962941885 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.037400007 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.037415981 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.037426949 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.037528992 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.037539005 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.037549019 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.037693977 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.037693977 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.042068005 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.042083025 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.042092085 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.042145014 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.042145014 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.045414925 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.045433998 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.045444012 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.045473099 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.045473099 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.082614899 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.082627058 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.082643032 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.082710981 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.082710981 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.082756042 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.082767963 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.082781076 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.082815886 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.082854986 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.083108902 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.083120108 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.083169937 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.162672043 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.162694931 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.162707090 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.162717104 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.162727118 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.162738085 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.162811995 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.162893057 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.163005114 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.163013935 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.163064003 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.165293932 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.165333033 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.165364027 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.165373087 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.165385008 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.165410042 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.202656031 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.202671051 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.202691078 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.202703953 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.202714920 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.202728033 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.202774048 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.202855110 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.246814966 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.246828079 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.246840954 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.246972084 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.277245045 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.277256966 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.277307987 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.277316093 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.277343988 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.277379990 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.282526016 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.282535076 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.282588005 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.282644033 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.282655001 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.282665968 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.282676935 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.282713890 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.282713890 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.285322905 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.285372972 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.285382986 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.285392046 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.285425901 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.285456896 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.322770119 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.322812080 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.322823048 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.322839022 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.322851896 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.322899103 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.322937965 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.366717100 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.366743088 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.366754055 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.366785049 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.366823912 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.397138119 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.397149086 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.397195101 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.397205114 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.397206068 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.397253990 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.397253990 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.402600050 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.402616978 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.402626991 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.402669907 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.402702093 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.405245066 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.405256033 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.405267000 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.405299902 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.405328989 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.405391932 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.405402899 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.405412912 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.405442953 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.405472040 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.442629099 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.442641020 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.442651033 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.442693949 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.442725897 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.442780018 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.442790031 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.442800045 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.442835093 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.442863941 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.486696959 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.486709118 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.486720085 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.486785889 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.517318964 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.517330885 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.517340899 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.517410994 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.522480011 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.522497892 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.522552013 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.522658110 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.522701025 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.522710085 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.525343895 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.525355101 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.525372028 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.525382042 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.525393009 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.525404930 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.525435925 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.525435925 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.525435925 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.562716007 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.562730074 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.562740088 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.562751055 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.562817097 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.562874079 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.562882900 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.562896013 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.562906027 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.562917948 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.562921047 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.562938929 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.562956095 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.606622934 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.606646061 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.606827974 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.637280941 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.637290955 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.637295961 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.637566090 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.642432928 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.642452002 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.642461061 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.642493963 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.642550945 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.645229101 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.645272017 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.645281076 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.645339012 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.645360947 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.645370007 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.645380974 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.645437956 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.645437956 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.645751953 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.645813942 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.682518005 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.682528973 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.682590961 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.682637930 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.682648897 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.682661057 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.682672024 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.682696104 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.682725906 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.683130980 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.683140993 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.683156013 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.683192968 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.683193922 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.757251978 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.757262945 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.757268906 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.757273912 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.757498026 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.757524014 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.757529974 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.757606030 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:13.762455940 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.762465954 CEST | 80 | 64702 | 84.38.129.16 | 192.168.2.5 |
| Oct 21, 2024 08:25:13.762510061 CEST | 64702 | 80 | 192.168.2.5 | 84.38.129.16 |
| Oct 21, 2024 08:25:14.318531036 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:14.318569899 CEST | 443 | 64703 | 104.26.13.205 | 192.168.2.5 |
| Oct 21, 2024 08:25:14.318653107 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:14.332398891 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:14.332422972 CEST | 443 | 64703 | 104.26.13.205 | 192.168.2.5 |
| Oct 21, 2024 08:25:14.954675913 CEST | 443 | 64703 | 104.26.13.205 | 192.168.2.5 |
| Oct 21, 2024 08:25:14.954814911 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:14.956661940 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:14.956675053 CEST | 443 | 64703 | 104.26.13.205 | 192.168.2.5 |
| Oct 21, 2024 08:25:14.957075119 CEST | 443 | 64703 | 104.26.13.205 | 192.168.2.5 |
| Oct 21, 2024 08:25:15.009852886 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:15.018683910 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:15.059446096 CEST | 443 | 64703 | 104.26.13.205 | 192.168.2.5 |
| Oct 21, 2024 08:25:15.204781055 CEST | 443 | 64703 | 104.26.13.205 | 192.168.2.5 |
| Oct 21, 2024 08:25:15.204933882 CEST | 443 | 64703 | 104.26.13.205 | 192.168.2.5 |
| Oct 21, 2024 08:25:15.204996109 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:15.211796045 CEST | 64703 | 443 | 192.168.2.5 | 104.26.13.205 |
| Oct 21, 2024 08:25:16.496897936 CEST | 64704 | 21 | 192.168.2.5 | 192.185.13.234 |
| Oct 21, 2024 08:25:16.501951933 CEST | 21 | 64704 | 192.185.13.234 | 192.168.2.5 |
| Oct 21, 2024 08:25:16.502033949 CEST | 64704 | 21 | 192.168.2.5 | 192.185.13.234 |
| Oct 21, 2024 08:25:16.506221056 CEST | 64704 | 21 | 192.168.2.5 | 192.185.13.234 |
| Oct 21, 2024 08:25:16.512188911 CEST | 21 | 64704 | 192.185.13.234 | 192.168.2.5 |
| Oct 21, 2024 08:25:16.512250900 CEST | 64704 | 21 | 192.168.2.5 | 192.185.13.234 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 21, 2024 08:24:27.283073902 CEST | 53 | 60097 | 162.159.36.2 | 192.168.2.5 |
| Oct 21, 2024 08:24:27.893587112 CEST | 53619 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 21, 2024 08:24:27.900473118 CEST | 53 | 53619 | 1.1.1.1 | 192.168.2.5 |
| Oct 21, 2024 08:25:14.306066990 CEST | 57209 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 21, 2024 08:25:14.312736988 CEST | 53 | 57209 | 1.1.1.1 | 192.168.2.5 |
| Oct 21, 2024 08:25:16.177403927 CEST | 61454 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 21, 2024 08:25:16.493046999 CEST | 53 | 61454 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 21, 2024 08:24:27.893587112 CEST | 192.168.2.5 | 1.1.1.1 | 0xef | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
| Oct 21, 2024 08:25:14.306066990 CEST | 192.168.2.5 | 1.1.1.1 | 0x8538 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 21, 2024 08:25:16.177403927 CEST | 192.168.2.5 | 1.1.1.1 | 0x2efe | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 21, 2024 08:24:27.900473118 CEST | 1.1.1.1 | 192.168.2.5 | 0xef | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
| Oct 21, 2024 08:25:14.312736988 CEST | 1.1.1.1 | 192.168.2.5 | 0x8538 | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false | ||
| Oct 21, 2024 08:25:14.312736988 CEST | 1.1.1.1 | 192.168.2.5 | 0x8538 | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
| Oct 21, 2024 08:25:14.312736988 CEST | 1.1.1.1 | 192.168.2.5 | 0x8538 | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
| Oct 21, 2024 08:25:16.493046999 CEST | 1.1.1.1 | 192.168.2.5 | 0x2efe | No error (0) | concaribe.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 21, 2024 08:25:16.493046999 CEST | 1.1.1.1 | 192.168.2.5 | 0x2efe | No error (0) | 192.185.13.234 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 64702 | 84.38.129.16 | 80 | 6360 | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Oct 21, 2024 08:25:11.209271908 CEST | 171 | OUT | |
| Oct 21, 2024 08:25:12.066445112 CEST | 1236 | IN | |
| Oct 21, 2024 08:25:12.066463947 CEST | 1236 | IN | |
| Oct 21, 2024 08:25:12.066476107 CEST | 424 | IN | |
| Oct 21, 2024 08:25:12.066488028 CEST | 1236 | IN | |
| Oct 21, 2024 08:25:12.066500902 CEST | 1236 | IN | |
| Oct 21, 2024 08:25:12.066512108 CEST | 424 | IN | |
| Oct 21, 2024 08:25:12.193813086 CEST | 1236 | IN | |
| Oct 21, 2024 08:25:12.193834066 CEST | 1236 | IN | |
| Oct 21, 2024 08:25:12.193845034 CEST | 1236 | IN | |
| Oct 21, 2024 08:25:12.193855047 CEST | 1236 | IN | |
| Oct 21, 2024 08:25:12.193867922 CEST | 1236 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 64703 | 104.26.13.205 | 443 | 6360 | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-21 06:25:15 UTC | 155 | OUT | |
| 2024-10-21 06:25:15 UTC | 211 | IN | |
| 2024-10-21 06:25:15 UTC | 14 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:23:52 |
| Start date: | 21/10/2024 |
| Path: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'007'169 bytes |
| MD5 hash: | C2D72D131FE371481A0CC117BB835F23 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 02:24:53 |
| Start date: | 21/10/2024 |
| Path: | C:\Users\user\Desktop\Documenti di spedizione.bat.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'007'169 bytes |
| MD5 hash: | C2D72D131FE371481A0CC117BB835F23 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 24.1% |
| Dynamic/Decrypted Code Coverage: | 13.9% |
| Signature Coverage: | 21.3% |
| Total number of Nodes: | 1520 |
| Total number of Limit Nodes: | 53 |
Graph
Function 004032BF Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 357stringcomfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040524E Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282windowclipboardmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F19 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405799 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406542 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040270B Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403C09 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403877 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D4A Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405110 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406222 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406977 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406B78 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040688E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406393 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004067E1 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040684B Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004030F8 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402241 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405751 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100027E8 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402FF0 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402590 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B6A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B45 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405653 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004025D7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022F2 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C11 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405BE2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000270B Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402336 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404128 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403277 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404111 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004040FE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A8D Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040451A Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 274stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404225 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404143 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004049DB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402C13 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004048D1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405969 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004059B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405ACF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 8.3% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 28 |
| Total number of Limit Nodes: | 3 |
Graph
Function 38CF3158 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DAAAB Relevance: 2.8, Instructions: 2766COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA214 Relevance: .4, Instructions: 371COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D4188 Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D4A58 Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D3E40 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CE3202 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CE3210 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF9210 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFD008 Relevance: 4.6, Strings: 3, Instructions: 801COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF4C68 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF8138 Relevance: 2.7, Strings: 2, Instructions: 248COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFAFE8 Relevance: 2.7, Strings: 2, Instructions: 215COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF920C Relevance: 2.7, Strings: 2, Instructions: 167COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF4C60 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA101 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CED7E4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CED7F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39200040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CE3450 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CE3458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39202570 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 39201780 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF2C6 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D7CA0 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFDB7D Relevance: 1.4, Strings: 1, Instructions: 125COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF480 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF21F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D7D58 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D269C Relevance: 1.3, Strings: 1, Instructions: 94COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1839 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE29D Relevance: 1.3, Strings: 1, Instructions: 60COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE7F9 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE2A8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D6B60 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF8390 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE7C1 Relevance: 1.3, Strings: 1, Instructions: 17COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D874B Relevance: .6, Instructions: 566COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D875B Relevance: .6, Instructions: 558COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D876B Relevance: .6, Instructions: 551COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF59C0 Relevance: .3, Instructions: 322COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFB318 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D417D Relevance: .3, Instructions: 275COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D4A4D Relevance: .3, Instructions: 260COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF6DD8 Relevance: .3, Instructions: 257COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DDE58 Relevance: .3, Instructions: 256COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFB9E1 Relevance: .2, Instructions: 250COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D3E34 Relevance: .2, Instructions: 234COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF59B9 Relevance: .2, Instructions: 233COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF62C0 Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF46B8 Relevance: .2, Instructions: 221COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF439D Relevance: .2, Instructions: 221COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA750 Relevance: .2, Instructions: 215COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF46D0 Relevance: .2, Instructions: 210COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF5A0E Relevance: .2, Instructions: 203COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D47D0 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D47C4 Relevance: .2, Instructions: 178COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFFC6E Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFFA18 Relevance: .2, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFFA28 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFC898 Relevance: .2, Instructions: 160COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF5769 Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA590 Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D6C9C Relevance: .1, Instructions: 136COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D6CA8 Relevance: .1, Instructions: 132COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF551C Relevance: .1, Instructions: 127COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1108 Relevance: .1, Instructions: 125COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D6F2C Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DEF10 Relevance: .1, Instructions: 121COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE998 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE988 Relevance: .1, Instructions: 110COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1138 Relevance: .1, Instructions: 100COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF20A8 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D5058 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF20B8 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D26A8 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D5068 Relevance: .1, Instructions: 89COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1343 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D7E71 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1660 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1448 Relevance: .1, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA110 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF3BA8 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF3BA0 Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA000 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D4F48 Relevance: .1, Instructions: 73COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE36A Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD030 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DA010 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1848 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1670 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D4F58 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF6DD7 Relevance: .1, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D0848 Relevance: .1, Instructions: 62COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1780 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D0838 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF3CB8 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFEE52 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF3970 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000D1458 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF3157 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF4304 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000AD02B Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF3978 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF4308 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF3CB3 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFEE60 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFA3D0 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFA3D8 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF20D Relevance: .0, Instructions: 42COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DF210 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFC897 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFEF0F Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF654B Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 000DE7D0 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032BF Relevance: 79.1, APIs: 33, Strings: 12, Instructions: 357stringcomfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A8D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405799 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF7760 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406542 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040524E Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404225 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 205windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403877 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040451A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D4A Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405F19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404143 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004049DB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402C13 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406222 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFAA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF7160 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CFBAC0 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004048D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF8498 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406977 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406B78 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040688E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406393 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004067E1 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040684B Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 38CF88B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405ACF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|