Windows
Analysis Report
ePAY-Advice_Rf[UC7749879100].exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64native
- ePAY-Advice_Rf[UC7749879100].exe (PID: 7800 cmdline:
C:\Users\u ser\Deskto p\ePAY-Adv ice_Rf[UC7 749879100] .exe MD5: 06BF8620598B674FC3506A2844D42D65) - ePAY-Advice_Rf[UC7749879100].exe (PID: 4428 cmdline:
C:\Users\u ser\Deskto p\ePAY-Adv ice_Rf[UC7 749879100] .exe MD5: 06BF8620598B674FC3506A2844D42D65) - WerFault.exe (PID: 7980 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 428 -s 200 0 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Loki Password Stealer (PWS), LokiBot | "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
Timestamp: | 192.168.11.20171.22.30.14749853802025381 03/17/23-14:12:55.965496 |
SID: | 2025381 |
Source Port: | 49853 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20171.22.30.14749853802024317 03/17/23-14:12:55.965496 |
SID: | 2024317 |
Source Port: | 49853 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20171.22.30.14749853802024312 03/17/23-14:12:55.965496 |
SID: | 2024312 |
Source Port: | 49853 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20171.22.30.14749853802021641 03/17/23-14:12:55.965496 |
SID: | 2021641 |
Source Port: | 49853 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.11.20171.22.30.14749853802825766 03/17/23-14:12:55.965496 |
SID: | 2825766 |
Source Port: | 49853 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_0040626D | |
Source: | Code function: | 1_2_00405732 | |
Source: | Code function: | 1_2_004026FE |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Code function: | 1_2_004051CF |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | 1_2_004031D6 |
Source: | Code function: | 1_2_00404A0E | |
Source: | Code function: | 1_2_004065F6 | |
Source: | Code function: | 1_2_6DA21A9C |
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_004031D6 |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 1_2_004020D1 |
Source: | File read: | Jump to behavior |
Source: | Code function: | 1_2_0040449B |
Source: | Mutant created: |
Source: | File written: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 1_2_6DA22F4E | |
Source: | Code function: | 1_2_0333670A | |
Source: | Code function: | 1_2_033337D4 | |
Source: | Code function: | 1_2_03338D60 | |
Source: | Code function: | 1_2_03338F9F | |
Source: | Code function: | 1_2_0333660E | |
Source: | Code function: | 1_2_03336E97 | |
Source: | Code function: | 1_2_03336FD6 | |
Source: | Code function: | 5_2_016637D4 | |
Source: | Code function: | 5_2_01668D60 | |
Source: | Code function: | 5_2_0166670A | |
Source: | Code function: | 5_2_0166660E | |
Source: | Code function: | 5_2_01666FD6 | |
Source: | Code function: | 5_2_01666E97 | |
Source: | Code function: | 5_2_01668F9F |
Source: | Code function: | 1_2_6DA21A9C |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 1_2_0040626D | |
Source: | Code function: | 1_2_00405732 | |
Source: | Code function: | 1_2_004026FE |
Source: | API call chain: | graph_1-5082 | ||
Source: | API call chain: | graph_1-5249 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_6DA21A9C |
Source: | Process token adjusted: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 1_2_004031D6 |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 2 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 11 Virtualization/Sandbox Evasion | 1 Credentials in Registry | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 2 Data from Local System | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Process Injection | NTDS | 5 System Information Discovery | Distributed Component Object Model | 1 Clipboard Data | Scheduled Transfer | 14 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 DLL Side-Loading | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
46% | Virustotal | Browse | ||
28% | ReversingLabs | Win32.Trojan.GuLoader |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
zed-unusual-activity-com.veldaeffertz.ml | 188.114.96.3 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
true |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
true |
| unknown | ||
true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
171.22.30.147 | unknown | Germany | 33657 | CMCSUS | true | |
188.114.96.3 | zed-unusual-activity-com.veldaeffertz.ml | European Union | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 828721 |
Start date and time: | 2023-03-17 14:08:19 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 11m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | ePAY-Advice_Rf[UC7749879100].exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/19@23/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 40.126.32.139, 40.126.32.132, 40.126.32.137, 20.190.160.15, 40.126.32.67, 40.126.32.73, 20.190.160.12, 20.190.160.23
- Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, prda.aadg.msidentity.com, login.live.com, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, wdcp.microsoft.com, login.msa.msidentity.com
- Execution Graph export aborted for target ePAY-Advice_Rf[UC7749879100].exe, PID 4428 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
171.22.30.147 | Get hash | malicious | GuLoader, Lokibot | Browse |
| |
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
zed-unusual-activity-com.veldaeffertz.ml | Get hash | malicious | GuLoader, Lokibot | Browse |
| |
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CMCSUS | Get hash | malicious | Cryptbot, MinerDownloader, RedLine, Stealc, Vidar, Xmrig | Browse |
| |
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | Nymaim | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
Get hash | malicious | Lokibot | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Amadey, Djvu, RHADAMANTHYS, SmokeLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Amadey, Djvu, Fabookie, SmokeLoader | Browse |
| ||
Get hash | malicious | Aurora, DanaBot, SmokeLoader, Stealc | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | Amadey, Djvu, Fabookie, SmokeLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Amadey, Djvu, RedLine, SmokeLoader | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Vidar | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Djvu, HTMLPhisher, Vidar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | BluStealer, ThunderFox Stealer, a310Logger | Browse |
| ||
Get hash | malicious | Amadey, Djvu, SmokeLoader | Browse |
| ||
Get hash | malicious | Babuk, Djvu | Browse |
| ||
Get hash | malicious | Grandcrab, Gandcrab | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Qbot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsp7072.tmp\System.dll | Get hash | malicious | GuLoader, Lokibot | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Lokibot | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Lokibot | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | AveMaria, GuLoader, UACMe | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, Lokibot | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | FormBook, GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader | Browse |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54 |
Entropy (8bit): | 4.838039816898156 |
Encrypted: | false |
SSDEEP: | 3:7KG/LmI/cXQQLQIfLBJXmgxv:OG/LmI/cXQQkIP2I |
MD5: | FB5EE2C0CAC332EC8390F50016EF0769 |
SHA1: | 11D9FB52FE5289140B9D52A38B56F99512B3A3A7 |
SHA-256: | C557AFE51AB22916E3423820A09D3805BF9DCDCECBEC4FE8DE2C67FB023BA631 |
SHA-512: | 87CCEA7B203B8BFC4E21544FE4FE9693AF230E246C450E673410565791DFE8257E30354772FDCC114C7068D9295FDB491E9B52D1A3B490C0756E568B70B95C0A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.832316471889005 |
Encrypted: | false |
SSDEEP: | 192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC |
MD5: | B0C77267F13B2F87C084FD86EF51CCFC |
SHA1: | F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3 |
SHA-256: | A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77 |
SHA-512: | F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 47 |
Entropy (8bit): | 1.1262763721961973 |
Encrypted: | false |
SSDEEP: | 3:/lSllIEXln:AWE1 |
MD5: | D69FB7CE74DAC48982B69816C3772E4E |
SHA1: | B1C04CDB2567DC2B50D903B0E1D0D3211191E065 |
SHA-256: | 8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396 |
SHA-512: | 7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\AEGISIIIRadeonHelper.dll
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34016 |
Entropy (8bit): | 6.1021284380541925 |
Encrypted: | false |
SSDEEP: | 384:JP7a6wQdSCVWSdoEdXjYmxzfkfIwuWR7UPMEdxsTStsBdMQJK2wKucYkcuhV3:N7a6eiHdFdr7W5UPMgy+OBG2X90uhV3 |
MD5: | 4FC7FC174E80C178225C2509027DF961 |
SHA1: | 9FF62413EC0DD462F5F016EBC804F1D736D24796 |
SHA-256: | 866B31DD39B97DEDAFD0FBD5672639EE91B47AD319C47816B4F6D01BFF93FF8C |
SHA-512: | 29261B9ABC4AF2F51C05B61A37721BC737B411530361A4B48A7BFFAB0F8263EA75BFD51B6E6E94E91E1D02DC442B534C3334B05FD8324E7CF307FA08179A1ED9 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 295288 |
Entropy (8bit): | 6.745618664148764 |
Encrypted: | false |
SSDEEP: | 3072:x+/xc6g1BpoF5SmRfY+uynGbbqwHzp8d7fMUMQpnf+Dk64qR/2sE4GjEZQ2CfDU4:MkpGQqruyGqIzgsG5Nq/uC4fQzbEI2 |
MD5: | 4D698E219A6C687613078B94085D51FE |
SHA1: | 52A9BD9EF707F72A14006D4FDA0989F11A5616B9 |
SHA-256: | 5E0F6244C6A33528CFCEC4C23F45F6238EA57818484B602086D26562F498EF49 |
SHA-512: | 02E934B3374EE1CF9195FC7C329D0F4AC4A8DFBB081CDD04F4D76CF5EA92353507B34EAC099A5161CCD36BF11048FA3588A4D7F029FE585979A1D3E3C93E150B |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 35747 |
Entropy (8bit): | 4.582392134953922 |
Encrypted: | false |
SSDEEP: | 384:x0ApQpUO7nJ9BGe8Gd+zZcrpqHCuY4TIm+io9fUe4KgZzZxrj2V+QRf4TGf:FypbJrGernrspY4s9fUKgpZxrahgTGf |
MD5: | 69FFEE981CA33B2B99A58323AE19A198 |
SHA1: | C9B1C33C92AE9BAE354B11A9F8F09639B7A8D493 |
SHA-256: | 6623E3157B8615EBC31FE362C9058FFA9682A033822ED7A5E965A086D5F069A3 |
SHA-512: | ED48BD96F3D65CA8F3BDBDBEFDF2F40A29468326436D28E4F9B58FF3A7EFB06197525D55777277719270864AA7D5301F3E3478C86E944D3AD054542DA94084A4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\avatar-default-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 266 |
Entropy (8bit): | 4.986245244009802 |
Encrypted: | false |
SSDEEP: | 6:tI9mc4slzc8SRIKMNo/aMhFl1OkUjq5eKVrGDVfqKlNK+:t4C8LKMuyMhPobjoprGDRlj |
MD5: | 8B727826F9D8C0C7C954EDE912CB0DEB |
SHA1: | 1518AA80747326B5353C22D32E57A33D61285119 |
SHA-256: | 0783A7F518D3879C8F0F50B45FBD779A98652469E9B7C659CE41F14D1629D334 |
SHA-512: | 0ABB243F9D1E0B6EDA0CB25D35C3449AB2B5B83078208F11B876A27FF11FF70B79F8BA97D4DA3AED21A8314C75FB2174D9378AF59B57DCB99DFF681D9AAB8561 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\be.txt
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12193 |
Entropy (8bit): | 4.4720152705808935 |
Encrypted: | false |
SSDEEP: | 192:i2PDEeaNB1PmcptkcDHxbTvPnc67bMxQxGx4ch/JuLQRcg/oN96bPNljYiYr197:ikDFKBFmcPLx3HPnIsqrJuqcgAN96b87 |
MD5: | 3C21135144AC7452E7DB66F0214F9D68 |
SHA1: | B1EC0589D769EAB5E4E8F0F8C21B157EF5EBB47D |
SHA-256: | D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E |
SHA-512: | 0446A0E2570A1F360FD8700FD4C869C7E2DBB9476BBDEC2526A53844074C79691542B91455343C50941B8A6D5E02A58EE6AA539CC4C4AE9CF000B4034EF663E2 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\changes-allow-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 998 |
Entropy (8bit): | 5.186938379246791 |
Encrypted: | false |
SSDEEP: | 24:t4CBGD0QNRWLLxo2em0yKbRAecFxV0/wXK:gDrc0NtAecFiH |
MD5: | CB1EEE7BDB582B756D0F68EF02D6D96D |
SHA1: | 9E9B0F25BC472EF1C1C13EEAC12FD11C4CC0D2D9 |
SHA-256: | 20EA767E852A8EBF2C5BA16D56CBAE10BD09D6CBA89B372A57EAA973AD3281B4 |
SHA-512: | E22FAEAE78D244A0F4E7215B31125D5AA4FD66C0720B0DE61D12084EAB879D7A9E231CCD5CD431417115B0945B450DC348DA400D67DB1898513B7BD6B9C274DB |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\dotnet.api
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\ebook-reader.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 555 |
Entropy (8bit): | 7.499536740374189 |
Encrypted: | false |
SSDEEP: | 12:6v/7anZhFxDEKwjAq0kaO/yvSL6T1pjNngLpzPanwmB9HE4JqSjF:5bDEPxdqKLmpqLdynw29kEqSZ |
MD5: | BFF011148B773FA44B9A9BB029E8CC52 |
SHA1: | F2B838927E320D12649CEFDEA3AFE383C6650D7C |
SHA-256: | B21DE7B432A7A67544D007ECC0FDD95F8E8C6129AF558A32102EE04C08635653 |
SHA-512: | A57C83AEE0E1F4C530D2F5B90589C31FD6E2FF8F62F998963284218FAC5EE164BCA7A619A9597DC3E2ECD0095A2CF04467E89EDF86700E1A90B3DF60B5121C9B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\emblem-photos-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 680 |
Entropy (8bit): | 5.109191824773878 |
Encrypted: | false |
SSDEEP: | 12:t4CP5GEA9xI7jhz4AeW02KdTwWjhz4AeW02KdTPqkoop4p:t4CBGEAgF4AeW0/N4AeW0/Zqg4p |
MD5: | 379690952AAA576521D51249D404CBCD |
SHA1: | 61A8A95B0454422AA47379CF983B99FFDD839439 |
SHA-256: | EAD402FB0B85DB153356EC695016FD4F2C4031367D8ED6D1C1EF5FF4F28A8DE8 |
SHA-512: | 35B6BC866C3D02A2486D3447C82405103DE89D46940F7FE44A7009E714BBA57FBE601EEC939C3206ADB06FB31C4FD1D3822A0ED52A346ACFDE5908643432F928 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\font-select-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 220 |
Entropy (8bit): | 6.546211943247282 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysde0C1jngP3V95D2tOA/RDvhpLUxbVp:6v/7jC1zi3Sr/hW |
MD5: | C84EE7522C124892455BB09DEBCF9340 |
SHA1: | AF87A2A5688346A3902762DD250328B7EF224620 |
SHA-256: | E0A3BD6FE1A1BAEFFE04BCA2980ADF755F888E31DCE3686B16C5DAC4202A38C8 |
SHA-512: | 3BEED79366F15CD075781F677C0C9E84081D2189D1FB541A34AA25980B48701A3D93DC550E4ABEB550EFBE3167B1CAB8338E22F4603C6A71936876FBA75FAD58 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\network-wired-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 144 |
Entropy (8bit): | 5.708279548998072 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllAoSF1/LvgStjP9f9uvJYUo+/JHt//sup:6v/lhPysKo21/Lvlt7V9+YUouJH1/jp |
MD5: | 1ED278AD206D6EA33FF787DD326E0FC5 |
SHA1: | 8CFF7AD12FC0E5545E71D05879A0245BEDAF4D46 |
SHA-256: | CC88E76F7C7D2E5B07E49D1F2AD88F8BAFC0542EB11CEB2B2FFF235C87AB4417 |
SHA-512: | 7291085B6153C02EDBF679CDDB93B97DBB74943F216EB622CE9722E02613269F626F8A7A5BE8DA683153E9AEE22C40ED7264E8A0ED62A99F477E2B96642596BF |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pan-start-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 140 |
Entropy (8bit): | 5.529383944212929 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllDM9vFW0p/sXm1MMos9DwlTYTbklt/sbp:6v/lhPysx8vFW0pkX4iZlTYTI3Ebp |
MD5: | 4308BBBAB1DB146494AE5ABB07B8E6DB |
SHA1: | 58121574EEB070E26DDD75A964F3548E176E58A4 |
SHA-256: | EFB732049C674EB25BFCB2FA0CBCC45D24190BF1479C054647F424B31E34C828 |
SHA-512: | 41C9B37516F8D6AB7155F890EE36C26FE4161383A93BFBF696AB18292774C3556642E898361D21CECCBFEFFAF5814495CFAC2C74791E02F068B055BD3AD87DE4 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\printer-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 147 |
Entropy (8bit): | 5.834297280344084 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllPhF1MzoQxJrN7djpdXLImeR/mV2kg1p:6v/lhPysx1MzoQxlRZbCRaip |
MD5: | 38D787F55E22FB591135F9250CD259D4 |
SHA1: | 0E135B0E1CA49A6E43DB4CB7596FAEA022E23924 |
SHA-256: | 1ED839B015A67CAB9948469975411D982A96314CE82851EA2F9F6BB8D733A002 |
SHA-512: | 4E21AB54B7110B4CD2EBC0E2CF6DF3F8C7C988495BCCA76949BC3C5EB669A793FCCDA5CB4DDB7B627A21734BD181FE44670757144CC2A007FCB695405F08EC2B |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Rekapitulerer\Inseminerede79\pt-br.txt
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9515 |
Entropy (8bit): | 5.04214621707661 |
Encrypted: | false |
SSDEEP: | 192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ |
MD5: | 7B02E1AE16E2E709D7C97DE560B4DBE9 |
SHA1: | 191A54644417F7D36F5CB4182DCDB3737D74BE51 |
SHA-256: | DA0B58F52BBC131F967942D1D8E9DE1B5721AE864BC21852A0AD4062332297CB |
SHA-512: | 4F689F854DB3F766B5E53CE2F19E9F8293C075EE3F9B18098EB05B352F2EC95DF85E49A78540781EB531BCE60C7B1F7890F1FE3C65200DEC3CB908E90FB827A1 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\omfartsvejene\Reberbanernes\Muhamedaneres\Sminknings\LogoCanary.png
Download File
Process: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16669 |
Entropy (8bit): | 7.836876926418697 |
Encrypted: | false |
SSDEEP: | 384:dg1Ew+1FT+/6trrKWzge5jh2xmalhctpNy:W1E1c6tru1CUYa4tDy |
MD5: | F80867A421C85C6E2865CF85FF7C4B02 |
SHA1: | C3EAB6B7E92646FE3407B2B3C5AFFE13A7873C48 |
SHA-256: | BCAA3B1333919176137D4DE4B1E3F31126159B12F959D7277BD8537B95139BD3 |
SHA-512: | 06B51E660AEE86FC3BB068C6DEA046920E04F86B8EDD02E640EAC619F0F0D7E87E5CAE5BE1390CEBC5DFE70AA13BAB1710176E88C9D1C859182629D429745D78 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.556713515266732 |
TrID: |
|
File name: | ePAY-Advice_Rf[UC7749879100].exe |
File size: | 329072 |
MD5: | 06bf8620598b674fc3506a2844d42d65 |
SHA1: | 00e28bd96e338f7bfff9c41d985de05f010d8ea7 |
SHA256: | 98883d7d2678fd8cbdad8b8c1ca7cf13a797b1074f081dee24aba14dcc346ffe |
SHA512: | d1e49bf22a28b2521f5ddfe4e0da6a40ebd599a3284f9d25b791e0ded05918e615ed4d65fe5d49c588fcc61e05cd2a80374ebfe94ceed972e5490d255f28dae7 |
SSDEEP: | 6144:iDk/kgv+gAz2TU8tpVy+cofgwCNW8J++jMJnq2UroIbvt:ztD42TU8DdcjNFJgJnqbrh1 |
TLSH: | 4C64F14176A1C823FD6A4630CD91E5F3E1BAFE04C828D10773A13FAFB9352858555EBA |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...+.oZ.................`......... |
Icon Hash: | 08c2b0d8cc64b046 |
Entrypoint: | 0x4031d6 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5A6FED2B [Tue Jan 30 03:57:31 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 3abe302b6d9a1256e6a915429af4ffd2 |
Signature Valid: | false |
Signature Issuer: | E=spinulation@Johnsen.fo, OU="Releaser Regionplanlov Ellwood ", O=Blodkrftens, L=Fleuriel, S=Auvergne-Rh\xf4ne-Alpes, C=FR |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | E72625F2F2E4D81D13EEADD636799AE5 |
Thumbprint SHA-1: | 96AB23C902D117D7E57A617EE5CD324FD5CFB328 |
Thumbprint SHA-256: | 4DD00D1164E5A3B45C21C6B0ACA7CDE02DF5C70EBD4F95F3736AD2784DC2D5E4 |
Serial: | 16E55C1D2183D78DF9C4B28EDF378EDD20F08352 |
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409198h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004070A0h] |
call dword ptr [0040709Ch] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042370Ch], eax |
je 00007F70B040A013h |
push ebx |
call 00007F70B040D0EAh |
cmp eax, ebx |
je 00007F70B040A009h |
push 00000C00h |
call eax |
mov esi, 00407298h |
push esi |
call 00007F70B040D066h |
push esi |
call dword ptr [00407098h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007F70B0409FEDh |
push 0000000Ah |
call 00007F70B040D0BEh |
push 00000008h |
call 00007F70B040D0B7h |
push 00000006h |
mov dword ptr [00423704h], eax |
call 00007F70B040D0ABh |
cmp eax, ebx |
je 00007F70B040A011h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F70B040A009h |
or byte ptr [0042370Fh], 00000040h |
push ebp |
call dword ptr [00407044h] |
push ebx |
call dword ptr [00407288h] |
mov dword ptr [004237D8h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 0041ECC8h |
call dword ptr [00407178h] |
push 00409188h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7428 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x36000 | 0xa3c0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x4fb50 | 0xa20 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x298 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5f0d | 0x6000 | False | 0.6649169921875 | data | 6.450520423955375 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1248 | 0x1400 | False | 0.4275390625 | data | 5.007650149182371 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1a818 | 0x400 | False | 0.6376953125 | data | 5.129587811765307 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x24000 | 0x12000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x36000 | 0xa3c0 | 0xa400 | False | 0.0760766006097561 | data | 1.8822021165260459 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x36268 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States |
RT_ICON | 0x365d0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | United States |
RT_DIALOG | 0x3fa78 | 0x144 | data | English | United States |
RT_DIALOG | 0x3fbc0 | 0x13c | data | English | United States |
RT_DIALOG | 0x3fd00 | 0x120 | data | English | United States |
RT_DIALOG | 0x3fe20 | 0x11c | data | English | United States |
RT_DIALOG | 0x3ff40 | 0xc4 | data | English | United States |
RT_DIALOG | 0x40008 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x40068 | 0x14 | data | English | United States |
RT_MANIFEST | 0x40080 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA |
USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.11.20171.22.30.14749853802025381 03/17/23-14:12:55.965496 | TCP | 2025381 | ET TROJAN LokiBot Checkin | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
192.168.11.20171.22.30.14749853802024317 03/17/23-14:12:55.965496 | TCP | 2024317 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
192.168.11.20171.22.30.14749853802024312 03/17/23-14:12:55.965496 | TCP | 2024312 | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
192.168.11.20171.22.30.14749853802021641 03/17/23-14:12:55.965496 | TCP | 2021641 | ET TROJAN LokiBot User-Agent (Charon/Inferno) | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
192.168.11.20171.22.30.14749853802825766 03/17/23-14:12:55.965496 | TCP | 2825766 | ETPRO TROJAN LokiBot Checkin M2 | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 14:12:54.334647894 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.334741116 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.335037947 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.364645958 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.364736080 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.403652906 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.403784037 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.403872967 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.463743925 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.464905024 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.465080976 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.469958067 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.512496948 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.722651005 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.722851992 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.722944975 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.723097086 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.723146915 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.723378897 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.723397017 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.723440886 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.723583937 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.723620892 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.723774910 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.723835945 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.723886967 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.723969936 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.724070072 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.724108934 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.724132061 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.724242926 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.724431038 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.724466085 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.724800110 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.835608006 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.835864067 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.835886955 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.835967064 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.836069107 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.836235046 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.836235046 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.836317062 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.836342096 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.836584091 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.838026047 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.838287115 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.838385105 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.838531017 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.838639975 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.838671923 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.838726997 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.838767052 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.838920116 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.838956118 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.839015961 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.839242935 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.839242935 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.839294910 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.839598894 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.843415022 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.843616962 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.843703985 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.843882084 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.843987942 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.844014883 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.844042063 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.844238997 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.844238997 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.844259977 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.844345093 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.844582081 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.844583035 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.844613075 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.844640970 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.844780922 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.844782114 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.844886065 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.845119953 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.951216936 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.951428890 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.951525927 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.951684952 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.951800108 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.951807022 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.951862097 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.951894045 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.952091932 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.952095985 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.952095985 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.952202082 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.952281952 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.952439070 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.952471018 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.952512026 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.952641010 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.952686071 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.952850103 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.953066111 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.953066111 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.953099966 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.953314066 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.953370094 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.953423023 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.953548908 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.953702927 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.953704119 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.953769922 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.953809023 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.953929901 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.953955889 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.954061985 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954061985 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954062939 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954122066 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.954245090 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954245090 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954245090 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954508066 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.954655886 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.954659939 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954659939 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954742908 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954790115 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.954919100 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.954977036 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.955117941 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.955326080 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.955327034 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.955459118 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.955513000 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.955739975 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.955739975 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.955739975 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.955831051 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.955921888 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956053019 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956057072 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956058025 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956115961 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956162930 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956199884 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956459045 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956458092 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956480980 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956506014 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956619024 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956619024 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956826925 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956826925 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956826925 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956826925 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956826925 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.956849098 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956859112 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:54.956990957 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:54.957180023 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:55.071397066 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:55.071659088 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:55.071715117 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:55.071772099 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:55.071949959 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:55.072040081 CET | 49852 | 443 | 192.168.11.20 | 188.114.96.3 |
Mar 17, 2023 14:12:55.072102070 CET | 443 | 49852 | 188.114.96.3 | 192.168.11.20 |
Mar 17, 2023 14:12:55.945913076 CET | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 14:12:55.963694096 CET | 80 | 49853 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 14:12:55.963943005 CET | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 14:12:55.965496063 CET | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 14:12:55.983457088 CET | 80 | 49853 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 14:12:55.983731985 CET | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 14:12:56.001513958 CET | 80 | 49853 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 14:12:57.368526936 CET | 80 | 49853 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 14:12:57.368623972 CET | 80 | 49853 | 171.22.30.147 | 192.168.11.20 |
Mar 17, 2023 14:12:57.368840933 CET | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 14:12:57.369118929 CET | 49853 | 80 | 192.168.11.20 | 171.22.30.147 |
Mar 17, 2023 14:12:57.387430906 CET | 80 | 49853 | 171.22.30.147 | 192.168.11.20 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 14:11:08.672599077 CET | 52162 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:08.676314116 CET | 53 | 52162 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:13.753829956 CET | 52244 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:13.766824961 CET | 53 | 52244 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:18.846615076 CET | 57743 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:18.850532055 CET | 53 | 57743 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:23.924415112 CET | 61834 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:23.927993059 CET | 53 | 61834 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:27.984611988 CET | 56644 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:27.989150047 CET | 53 | 56644 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:33.063162088 CET | 58617 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:33.070621014 CET | 53 | 58617 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:38.139564991 CET | 60070 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:38.143363953 CET | 53 | 60070 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:43.215730906 CET | 57664 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:43.218975067 CET | 53 | 57664 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:48.295723915 CET | 51405 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:48.302275896 CET | 53 | 51405 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:53.369611025 CET | 56021 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:53.373475075 CET | 53 | 56021 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:11:58.447398901 CET | 54853 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:11:58.451924086 CET | 53 | 54853 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:03.524935007 CET | 64830 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:03.528922081 CET | 53 | 64830 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:08.600559950 CET | 52043 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:08.611625910 CET | 53 | 52043 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:13.681356907 CET | 65408 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:13.685094118 CET | 53 | 65408 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:18.755645990 CET | 59466 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:18.761109114 CET | 53 | 59466 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:23.831711054 CET | 62775 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:23.835189104 CET | 53 | 62775 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:28.908698082 CET | 54256 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:28.912781954 CET | 53 | 54256 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:32.970323086 CET | 59211 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:32.974494934 CET | 53 | 59211 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:38.047481060 CET | 58214 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:38.051160097 CET | 53 | 58214 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:43.125505924 CET | 63309 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:43.129215956 CET | 53 | 63309 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:48.201524019 CET | 52190 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:48.206408024 CET | 53 | 52190 | 9.9.9.9 | 192.168.11.20 |
Mar 17, 2023 14:12:53.279522896 CET | 50355 | 53 | 192.168.11.20 | 9.9.9.9 |
Mar 17, 2023 14:12:54.292489052 CET | 50355 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 17, 2023 14:12:54.327683926 CET | 53 | 50355 | 1.1.1.1 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 17, 2023 14:11:08.672599077 CET | 192.168.11.20 | 9.9.9.9 | 0x610a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:13.753829956 CET | 192.168.11.20 | 9.9.9.9 | 0x6577 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:18.846615076 CET | 192.168.11.20 | 9.9.9.9 | 0x83ac | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:23.924415112 CET | 192.168.11.20 | 9.9.9.9 | 0x7c96 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:27.984611988 CET | 192.168.11.20 | 9.9.9.9 | 0x4c5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:33.063162088 CET | 192.168.11.20 | 9.9.9.9 | 0xf35d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:38.139564991 CET | 192.168.11.20 | 9.9.9.9 | 0xc2dd | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:43.215730906 CET | 192.168.11.20 | 9.9.9.9 | 0x7d97 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:48.295723915 CET | 192.168.11.20 | 9.9.9.9 | 0x58de | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:53.369611025 CET | 192.168.11.20 | 9.9.9.9 | 0x844 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:58.447398901 CET | 192.168.11.20 | 9.9.9.9 | 0x6828 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:03.524935007 CET | 192.168.11.20 | 9.9.9.9 | 0x4ba8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:08.600559950 CET | 192.168.11.20 | 9.9.9.9 | 0xa129 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:13.681356907 CET | 192.168.11.20 | 9.9.9.9 | 0xd431 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:18.755645990 CET | 192.168.11.20 | 9.9.9.9 | 0xe51c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:23.831711054 CET | 192.168.11.20 | 9.9.9.9 | 0xd17a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:28.908698082 CET | 192.168.11.20 | 9.9.9.9 | 0x3bf9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:32.970323086 CET | 192.168.11.20 | 9.9.9.9 | 0x4a1f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:38.047481060 CET | 192.168.11.20 | 9.9.9.9 | 0x511e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:43.125505924 CET | 192.168.11.20 | 9.9.9.9 | 0xa387 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:48.201524019 CET | 192.168.11.20 | 9.9.9.9 | 0x7aa | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:53.279522896 CET | 192.168.11.20 | 9.9.9.9 | 0x379e | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:54.292489052 CET | 192.168.11.20 | 1.1.1.1 | 0x379e | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 17, 2023 14:11:08.676314116 CET | 9.9.9.9 | 192.168.11.20 | 0x610a | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:13.766824961 CET | 9.9.9.9 | 192.168.11.20 | 0x6577 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:18.850532055 CET | 9.9.9.9 | 192.168.11.20 | 0x83ac | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:23.927993059 CET | 9.9.9.9 | 192.168.11.20 | 0x7c96 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:27.989150047 CET | 9.9.9.9 | 192.168.11.20 | 0x4c5 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:33.070621014 CET | 9.9.9.9 | 192.168.11.20 | 0xf35d | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:38.143363953 CET | 9.9.9.9 | 192.168.11.20 | 0xc2dd | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:43.218975067 CET | 9.9.9.9 | 192.168.11.20 | 0x7d97 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:48.302275896 CET | 9.9.9.9 | 192.168.11.20 | 0x58de | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:53.373475075 CET | 9.9.9.9 | 192.168.11.20 | 0x844 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:11:58.451924086 CET | 9.9.9.9 | 192.168.11.20 | 0x6828 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:03.528922081 CET | 9.9.9.9 | 192.168.11.20 | 0x4ba8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:08.611625910 CET | 9.9.9.9 | 192.168.11.20 | 0xa129 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:13.685094118 CET | 9.9.9.9 | 192.168.11.20 | 0xd431 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:18.761109114 CET | 9.9.9.9 | 192.168.11.20 | 0xe51c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:23.835189104 CET | 9.9.9.9 | 192.168.11.20 | 0xd17a | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:28.912781954 CET | 9.9.9.9 | 192.168.11.20 | 0x3bf9 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:32.974494934 CET | 9.9.9.9 | 192.168.11.20 | 0x4a1f | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:38.051160097 CET | 9.9.9.9 | 192.168.11.20 | 0x511e | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:43.129215956 CET | 9.9.9.9 | 192.168.11.20 | 0xa387 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:48.206408024 CET | 9.9.9.9 | 192.168.11.20 | 0x7aa | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:12:54.327683926 CET | 1.1.1.1 | 192.168.11.20 | 0x379e | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2023 14:12:54.327683926 CET | 1.1.1.1 | 192.168.11.20 | 0x379e | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49852 | 188.114.96.3 | 443 | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.11.20 | 49853 | 171.22.30.147 | 80 | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Mar 17, 2023 14:12:55.965496063 CET | 281 | OUT | |
Mar 17, 2023 14:12:55.983731985 CET | 282 | OUT | |
Mar 17, 2023 14:12:57.368526936 CET | 282 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.11.20 | 49852 | 188.114.96.3 | 443 | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2023-03-17 13:12:54 UTC | 0 | OUT | |
2023-03-17 13:12:54 UTC | 0 | IN | |
2023-03-17 13:12:54 UTC | 0 | IN | |
2023-03-17 13:12:54 UTC | 1 | IN | |
2023-03-17 13:12:54 UTC | 2 | IN | |
2023-03-17 13:12:54 UTC | 4 | IN | |
2023-03-17 13:12:54 UTC | 5 | IN | |
2023-03-17 13:12:54 UTC | 6 | IN | |
2023-03-17 13:12:54 UTC | 8 | IN | |
2023-03-17 13:12:54 UTC | 9 | IN | |
2023-03-17 13:12:54 UTC | 10 | IN | |
2023-03-17 13:12:54 UTC | 12 | IN | |
2023-03-17 13:12:54 UTC | 13 | IN | |
2023-03-17 13:12:54 UTC | 14 | IN | |
2023-03-17 13:12:54 UTC | 16 | IN | |
2023-03-17 13:12:54 UTC | 17 | IN | |
2023-03-17 13:12:54 UTC | 18 | IN | |
2023-03-17 13:12:54 UTC | 20 | IN | |
2023-03-17 13:12:54 UTC | 20 | IN | |
2023-03-17 13:12:54 UTC | 21 | IN | |
2023-03-17 13:12:54 UTC | 23 | IN | |
2023-03-17 13:12:54 UTC | 24 | IN | |
2023-03-17 13:12:54 UTC | 25 | IN | |
2023-03-17 13:12:54 UTC | 27 | IN | |
2023-03-17 13:12:54 UTC | 28 | IN | |
2023-03-17 13:12:54 UTC | 29 | IN | |
2023-03-17 13:12:54 UTC | 30 | IN | |
2023-03-17 13:12:54 UTC | 31 | IN | |
2023-03-17 13:12:54 UTC | 32 | IN | |
2023-03-17 13:12:54 UTC | 34 | IN | |
2023-03-17 13:12:54 UTC | 35 | IN | |
2023-03-17 13:12:54 UTC | 36 | IN | |
2023-03-17 13:12:54 UTC | 38 | IN | |
2023-03-17 13:12:54 UTC | 39 | IN | |
2023-03-17 13:12:54 UTC | 41 | IN | |
2023-03-17 13:12:54 UTC | 42 | IN | |
2023-03-17 13:12:54 UTC | 43 | IN | |
2023-03-17 13:12:54 UTC | 44 | IN | |
2023-03-17 13:12:54 UTC | 45 | IN | |
2023-03-17 13:12:54 UTC | 47 | IN | |
2023-03-17 13:12:54 UTC | 48 | IN | |
2023-03-17 13:12:54 UTC | 49 | IN | |
2023-03-17 13:12:54 UTC | 50 | IN | |
2023-03-17 13:12:54 UTC | 51 | IN | |
2023-03-17 13:12:54 UTC | 54 | IN | |
2023-03-17 13:12:54 UTC | 55 | IN | |
2023-03-17 13:12:54 UTC | 57 | IN | |
2023-03-17 13:12:54 UTC | 61 | IN | |
2023-03-17 13:12:54 UTC | 62 | IN | |
2023-03-17 13:12:54 UTC | 66 | IN | |
2023-03-17 13:12:54 UTC | 68 | IN | |
2023-03-17 13:12:54 UTC | 72 | IN | |
2023-03-17 13:12:54 UTC | 74 | IN | |
2023-03-17 13:12:54 UTC | 78 | IN | |
2023-03-17 13:12:54 UTC | 82 | IN | |
2023-03-17 13:12:54 UTC | 82 | IN | |
2023-03-17 13:12:54 UTC | 86 | IN | |
2023-03-17 13:12:54 UTC | 88 | IN | |
2023-03-17 13:12:54 UTC | 92 | IN | |
2023-03-17 13:12:54 UTC | 93 | IN | |
2023-03-17 13:12:54 UTC | 98 | IN | |
2023-03-17 13:12:55 UTC | 99 | IN | |
2023-03-17 13:12:55 UTC | 103 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 1 |
Start time: | 14:10:12 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 329072 bytes |
MD5 hash: | 06BF8620598B674FC3506A2844D42D65 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 5 |
Start time: | 14:10:56 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\ePAY-Advice_Rf[UC7749879100].exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 329072 bytes |
MD5 hash: | 06BF8620598B674FC3506A2844D42D65 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 8 |
Start time: | 14:12:57 |
Start date: | 17/03/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4e0000 |
File size: | 482640 bytes |
MD5 hash: | 40A149513D721F096DDF50C04DA2F01F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Execution Graph
Execution Coverage: | 18.8% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 20.5% |
Total number of Nodes: | 1509 |
Total number of Limit Nodes: | 49 |
Graph
Function 004031D6 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366stringcomfileCOMMON
Control-flow Graph
C-Code - Quality: 86% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404A0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMONCrypto
Control-flow Graph
C-Code - Quality: 96% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6DA21A9C Relevance: 20.1, APIs: 13, Instructions: 571stringlibrarymemoryCOMMONCrypto
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405732 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
Control-flow Graph
C-Code - Quality: 98% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004065F6 Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 84% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403798 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
Control-flow Graph
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 80% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405F8C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
Control-flow Graph
C-Code - Quality: 72% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
Control-flow Graph
C-Code - Quality: 61% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406294 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 94% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
Control-flow Graph
C-Code - Quality: 60% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
C-Code - Quality: 94% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Control-flow Graph
C-Code - Quality: 59% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
C-Code - Quality: 83% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 87% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
C-Code - Quality: 89% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405E51 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
C-Code - Quality: 90% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405609 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406A2B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
C-Code - Quality: 99% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406C2C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406942 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406447 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406895 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004069B3 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004068FF Relevance: 5.2, APIs: 4, Instructions: 168COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6DA229C0 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
C-Code - Quality: 16% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
C-Code - Quality: 59% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B03 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405ADE Relevance: 3.0, APIs: 2, Instructions: 13COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004055D4 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004025CA Relevance: 1.6, APIs: 1, Instructions: 76COMMON
C-Code - Quality: 100% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
C-Code - Quality: 70% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
C-Code - Quality: 40% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6DA228E5 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402340 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040403E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040318E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6DA21215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004051CF Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
C-Code - Quality: 96% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040449B Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
C-Code - Quality: 78% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 74% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
C-Code - Quality: 39% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404174 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
C-Code - Quality: 93% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405BD9 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404070 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6DA2249C Relevance: 10.6, APIs: 7, Instructions: 124COMMON
C-Code - Quality: 77% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040495C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 73% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6DA222B5 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 37% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404852 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
C-Code - Quality: 77% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004059F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
C-Code - Quality: 53% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405902 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405949 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6DA210E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405A68 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |