Edit tour
Windows
Analysis Report
Ag3ijL3z1w.exe
Overview
General Information
| Sample name: | Ag3ijL3z1w.exerenamed because original name is a hash value |
| Original sample name: | 038f01c7ab34d20394b657ce5d5f3152.exe |
| Analysis ID: | 1414024 |
| MD5: | 038f01c7ab34d20394b657ce5d5f3152 |
| SHA1: | 7f82fb84c6c0aff1012675d48ba95b0558d3230f |
| SHA256: | 28119987147a63910d12662c2008089f85571817695dcd443d02303d52479c55 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Ag3ijL3z1w.exe (PID: 7264 cmdline: "C:\Users\ user\Deskt op\Ag3ijL3 z1w.exe" MD5: 038F01C7AB34D20394B657CE5D5F3152)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "colorfulequalugliess.shop"], "Build id": "g5MvTC--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 03/22/24-13:54:05.472247 |
| SID: | 2051588 |
| Source Port: | 49735 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:10.961651 |
| SID: | 2051588 |
| Source Port: | 49739 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:02.814250 |
| SID: | 2051587 |
| Source Port: | 57667 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:03.114371 |
| SID: | 2051588 |
| Source Port: | 49732 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:09.869399 |
| SID: | 2051588 |
| Source Port: | 49738 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:02.910864 |
| SID: | 2051586 |
| Source Port: | 63995 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:08.102502 |
| SID: | 2051588 |
| Source Port: | 49737 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:03.862026 |
| SID: | 2051588 |
| Source Port: | 49733 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:06.419545 |
| SID: | 2051588 |
| Source Port: | 49736 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:04.720277 |
| SID: | 2051588 |
| Source Port: | 49734 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 03/22/24-13:54:03.009215 |
| SID: | 2051584 |
| Source Port: | 51440 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_00074F69 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Directory queried: | ||
| Source: | Code function: | 0_2_00083216 | |
| Source: | Code function: | 0_2_00083216 | |
| Source: | Code function: | 0_2_00083216 | |
| Source: | Code function: | 0_2_000812E2 | |
| Source: | Code function: | 0_2_0007541A | |
| Source: | Code function: | 0_2_000695E0 | |
| Source: | Code function: | 0_2_0007D860 | |
| Source: | Code function: | 0_2_0007390E | |
| Source: | Code function: | 0_2_00092156 | |
| Source: | Code function: | 0_2_00094489 | |
| Source: | Code function: | 0_2_000705BD | |
| Source: | Code function: | 0_2_00074810 | |
| Source: | Code function: | 0_2_000668B4 | |
| Source: | Code function: | 0_2_0007CB43 | |
| Source: | Code function: | 0_2_0007CB80 | |
| Source: | Code function: | 0_2_00092C52 | |
| Source: | Code function: | 0_2_00080D8E | |
| Source: | Code function: | 0_2_00070E43 | |
| Source: | Code function: | 0_2_00094FB2 | |
| Source: | Code function: | 0_2_0006D1C0 | |
| Source: | Code function: | 0_2_000952C9 | |
| Source: | Code function: | 0_2_00093458 | |
| Source: | Code function: | 0_2_0007561D | |
| Source: | Code function: | 0_2_0008D620 | |
| Source: | Code function: | 0_2_00083216 | |
| Source: | Code function: | 0_2_00083216 | |
| Source: | Code function: | 0_2_00083216 | |
| Source: | Code function: | 0_2_000719E7 | |
| Source: | Code function: | 0_2_0006FA72 | |
| Source: | Code function: | 0_2_0006FA7F | |
| Source: | Code function: | 0_2_00067B20 | |
| Source: | Code function: | 0_2_0007FB8E | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_000820C1 | |
| Source: | Code function: | 0_2_00074280 | |
| Source: | Code function: | 0_2_000924B2 | |
| Source: | Code function: | 0_2_000746B7 | |
| Source: | Code function: | 0_2_000927AF | |
| Source: | Code function: | 0_2_000967D0 | |
| Source: | Code function: | 0_2_000927F1 | |
| Source: | Code function: | 0_2_0009286A | |
| Source: | Code function: | 0_2_00092987 | |
| Source: | Code function: | 0_2_00078E50 | |
| Source: | Code function: | 0_2_00090F80 | |
| Source: | Code function: | 0_2_0007541A | |
| Source: | Code function: | 0_2_00095440 | |
| Source: | Code function: | 0_2_00095640 | |
| Source: | Code function: | 0_2_000756F7 | |
| Source: | Code function: | 0_2_00095810 | |
| Source: | Code function: | 0_2_0007D860 | |
| Source: | Code function: | 0_2_00095940 | |
| Source: | Code function: | 0_2_00095BD0 | |
| Source: | Code function: | 0_2_00095D40 | |
| Source: | Code function: | 0_2_00096060 | |
| Source: | Code function: | 0_2_00072277 | |
| Source: | Code function: | 0_2_00096400 | |
| Source: | Code function: | 0_2_00076492 | |
| Source: | Code function: | 0_2_0007C5F0 | |
| Source: | Code function: | 0_2_00072700 | |
| Source: | Code function: | 0_2_0007C765 | |
| Source: | Code function: | 0_2_0007A762 | |
| Source: | Code function: | 0_2_00076790 | |
| Source: | Code function: | 0_2_0007A880 | |
| Source: | Code function: | 0_2_00092C52 | |
| Source: | Code function: | 0_2_00074D10 | |
| Source: | Code function: | 0_2_0007EDB2 | |
| Source: | Code function: | 0_2_00080F04 | |
| Source: | Code function: | 0_2_0007CF46 | |
| Source: | Code function: | 0_2_0008F1E0 | |
| Source: | Code function: | 0_2_00091220 | |
| Source: | Code function: | 0_2_00077305 | |
| Source: | Code function: | 0_2_000914A0 | |
| Source: | Code function: | 0_2_00091600 | |
| Source: | Code function: | 0_2_0007960A | |
| Source: | Code function: | 0_2_00091710 | |
| Source: | Code function: | 0_2_00091840 | |
| Source: | Code function: | 0_2_00091950 | |
| Source: | Code function: | 0_2_00095AB0 | |
| Source: | Code function: | 0_2_00079C41 | |
| Source: | Code function: | 0_2_00077C59 | |
| Source: | Code function: | 0_2_00064640 | |
| Source: | Code function: | 0_2_00083216 | |
| Source: | Code function: | 0_2_000812E2 | |
| Source: | Code function: | 0_2_0007D860 | |
| Source: | Code function: | 0_2_00096060 | |
| Source: | Code function: | 0_2_00082382 | |
| Source: | Code function: | 0_2_00096400 | |
| Source: | Code function: | 0_2_000664F0 | |
| Source: | Code function: | 0_2_0011A824 | |
| Source: | Code function: | 0_2_000668B4 | |
| Source: | Code function: | 0_2_00086D8E | |
| Source: | Code function: | 0_2_00062E70 | |
| Source: | Code function: | 0_2_00080F04 | |
| Source: | Code function: | 0_2_0007CF46 | |
| Source: | Code function: | 0_2_00072F77 | |
| Source: | Code function: | 0_2_0008EF80 | |
| Source: | Code function: | 0_2_0007F3FD | |
| Source: | Code function: | 0_2_00065477 | |
| Source: | Code function: | 0_2_0007960A | |
| Source: | Code function: | 0_2_00061700 | |
| Source: | Code function: | 0_2_00065717 | |
| Source: | Code function: | 0_2_00083216 | |
| Source: | Code function: | 0_2_00073A27 | |
| Source: | Code function: | 0_2_00065A3C | |
| Source: | Code function: | 0_2_00077A8C | |
| Source: | Code function: | 0_2_00067B20 | |
| Source: | Code function: | 0_2_00079C41 | |
| Source: | Code function: | 0_2_00063C6F | |
| Source: | Code function: | 0_2_002DDCD6 | |
| Source: | Code function: | 0_2_0006FDB0 | |
| Source: | Code function: | 0_2_00065F30 | |
| Source: | Static PE information: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_00B29BB4 | |
| Source: | Code function: | 0_2_000A85A1 | |
| Source: | Code function: | 0_2_000A6A37 | |
| Source: | Code function: | 0_2_003E05D0 | |
| Source: | Code function: | 0_2_00105F4D | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0013E70F | |
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_0013E70F | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 131 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 20% | Virustotal | Browse | ||
| 20% | Virustotal | Browse | ||
| 10% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | URL Reputation | malware | ||
| 100% | URL Reputation | malware | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | phishing | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 18% | Virustotal | Browse | ||
| 11% | Virustotal | Browse | ||
| 20% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | phishing | ||
| 11% | Virustotal | Browse | ||
| 10% | Virustotal | Browse | ||
| 100% | Avira URL Cloud | phishing | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | phishing | ||
| 20% | Virustotal | Browse | ||
| 22% | Virustotal | Browse | ||
| 3% | Virustotal | Browse | ||
| 20% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| relevantvoicelesskw.shop | 172.67.147.173 | true | true |
| unknown |
| wisemassiveharmonious.shop | unknown | unknown | true |
| unknown |
| colorfulequalugliess.shop | unknown | unknown | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.147.173 | relevantvoicelesskw.shop | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1414024 |
| Start date and time: | 2024-03-22 13:53:07 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 55s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Ag3ijL3z1w.exerenamed because original name is a hash value |
| Original Sample Name: | 038f01c7ab34d20394b657ce5d5f3152.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@3/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtCreateFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryDirectoryFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 09:54:00 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.147.173 | Get hash | malicious | LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Stealc, Vidar | Browse | ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse | |||
| Get hash | malicious | LummaC, Amadey, Glupteba, Mars Stealer, PureLog Stealer, RHADAMANTHYS, RedLine | Browse | |||
| Get hash | malicious | LummaC, PureLog Stealer | Browse | |||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, zgRAT | Browse | |||
| Get hash | malicious | LummaC, RisePro Stealer | Browse | |||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| relevantvoicelesskw.shop | Get hash | malicious | LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Stealc, Vidar | Browse |
| |
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, RisePro Stealer | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC, RisePro Stealer | Browse |
| ||
| Get hash | malicious | LummaC, RisePro Stealer | Browse |
| ||
| Get hash | malicious | LummaC, RisePro Stealer | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Phisher | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Hidden Macro 4.0 | Browse |
| |
| Get hash | malicious | Babuk, Djvu, Glupteba, SmokeLoader, Xehook Stealer | Browse |
| ||
| Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, Glupteba, SmokeLoader, Vidar, Xehook Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Amadey, RisePro Stealer | Browse |
| ||
| Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
| Get hash | malicious | LummaC, GCleaner, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.932605920092943 |
| TrID: |
|
| File name: | Ag3ijL3z1w.exe |
| File size: | 2'444'904 bytes |
| MD5: | 038f01c7ab34d20394b657ce5d5f3152 |
| SHA1: | 7f82fb84c6c0aff1012675d48ba95b0558d3230f |
| SHA256: | 28119987147a63910d12662c2008089f85571817695dcd443d02303d52479c55 |
| SHA512: | 4e0e25bfabb8882b58341205ee60f3f5dd83a9b93518aa3badd433b784531244fcc9bb07981461a6a382dbd2d1c4de211731156f8768f7cc8e61e0a7c0689a86 |
| SSDEEP: | 49152:hKmuqADBjtRsLNcMH/YShDiSeYeCnhm1nWxZKf95EhjLnFpVrQk:hqJic4/YShWNpygwZVjLnFck |
| TLSH: | 43B51285E69DAA94DC4E007E1B0FB67C31F419AF09508E26D4685FF1D8E2D3C26FA346 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....8.e.................\............6...........@..........................p9.......%...@..................................T..... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x769f81 |
| Entrypoint Section: | .vmp$PH |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x65FB38B6 [Wed Mar 20 19:27:50 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 8e037c5edb507011bc10ab16654e5d05 |
| Signature Valid: | false |
| Signature Issuer: | CN=\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe7\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe7\xb0\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xcb\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe7\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xca\xe6\xaf\xca\xe6\xb0\xcb\xe6\xaf\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xaf\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xcb\xe6\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe7\xb0\xca\xe6\xb0\xcb\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xcb\xe7\xb0\xca\xe6\xb0\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xb0\xca\xe6\xaf\xca\xe6\xaf\xca\xe7\xaf\xcb\xe6\xb0\xca\xe6\xb0\xca\xe6\xb0\xca |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | C52F4D30B83A70AF0470658DE69BF663 |
| Thumbprint SHA-1: | 9E54C11AE2FF492B3597DC10CEE5EBB837B3BFAC |
| Thumbprint SHA-256: | 7F26021CC1AE0BA2A97162E2CA71CCE97C6A30A498EB321878EB7AC98A6CCECE |
| Serial: | 66EA4ABB0FB7CE8C42D3CDE1769F1FEB |
| Instruction |
|---|
| push ebp |
| pushfd |
| mov ebp, 11260B80h |
| call 00007F1A64E21244h |
| jnle 00007F1A64E349F7h |
| pushfd |
| xchg eax, esi |
| lodsd |
| lds esi, fword ptr [edi+46h] |
| loope 00007F1A64E34A5Ah |
| sbb ecx, dword ptr [eax-39h] |
| inc esp |
| and al, 00h |
| loopne 00007F1A64E349A8h |
| xor cl, ch |
| call 00007F1A64D95E37h |
| inc ebp |
| xor dl, al |
| bts di, di |
| call 00007F1A64E2922Ah |
| in eax, 1Fh |
| rcl dword ptr [eax-69BC8AEFh], cl |
| mov cl, EEh |
| xor dword ptr [edi], esi |
| add eax, 1DC8DDCCh |
| inc ebp |
| add eax, esi |
| cmc |
| mov eax, 8AB8E7F3h |
| jnle 00007F1A64E349BAh |
| add ebx, edx |
| mov al, DAh |
| mov edi, 8F00769Eh |
| call far 96D8h : CB007698h |
| sbb al, B0h |
| mov cl, 4Fh |
| bound esi, dword ptr [ecx] |
| pop esi |
| arpl word ptr [edi+1A2F4369h], cx |
| in al, dx |
| sub dword ptr [edx], ebp |
| shld dx, ax, cl |
| call 00007F1A64D5A78Ah |
| jmp 00007F1A64D98136h |
| mov ecx, 2BB3C7B8h |
| mov ecx, dword ptr [ecx+ebp-2BB3C7B8h] |
| mov edi, E8B63391h |
| imul di, di |
| mov edi, dword ptr [ebp+04h] |
| jc 00007F1A64C4873Bh |
| mov eax, 942C2986h |
| call 00007F1A64E06781h |
| jmp 00007F1A64E2D0FEh |
| not edx |
| jmp 00007F1A64C422B7h |
| test ebx, ebx |
| lea esp, dword ptr [esp+04h] |
| je 00007F1A64D46E83h |
| mov eax, dword ptr [ebp+ebx*4+00h] |
| call 00007F1A64C3669Ch |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2e54fc | 0x8c | .vmp$PH |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x38e000 | 0x8940 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x24e000 | 0x6e68 | .vmp$PH |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x38c000 | 0x1a18 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x140000 | 0x44 | .vmp$PH |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x35af2 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x37000 | 0x296b | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3a000 | 0xa254 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .vmp$PH | 0x45000 | 0xfa30b | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .vmp$PH | 0x140000 | 0x234 | 0x400 | 4a3b4254d0505fb177a355c1e8b8c1dd | False | 0.0634765625 | data | 0.34905982431271465 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .vmp$PH | 0x141000 | 0x24ad80 | 0x24ae00 | f27a27a2bdedeb219de2e9f64e257088 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .reloc | 0x38c000 | 0x1a18 | 0x1c00 | 0c51f8f87abe17c6a9c18e9ea241d13c | False | 0.37583705357142855 | data | 5.725189163263045 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x38e000 | 0x8940 | 0xe00 | 7476abb1f0dafc6e668fb56f2a6110b8 | False | 0.3247767857142857 | data | 3.5735703364825677 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x38ed08 | 0x2 | data | 5.0 | ||
| AFX_DIALOG_LAYOUT | 0x38ed0c | 0x2 | data | 5.0 | ||
| RT_DIALOG | 0x38ed10 | 0x8e | data | 0.08450704225352113 | ||
| RT_DIALOG | 0x38eda0 | 0x1ea | data | 0.125 | ||
| RT_DIALOG | 0x38ef8c | 0x1bc | empty | 0 | ||
| RT_STRING | 0x38f148 | 0x44c | empty | 0 | ||
| RT_STRING | 0x38f594 | 0x422 | empty | 0 | ||
| RT_STRING | 0x38f9b8 | 0x45e | empty | 0 | ||
| RT_STRING | 0x38fe18 | 0x426 | empty | 0 | ||
| RT_STRING | 0x390240 | 0x3c2 | empty | 0 | ||
| RT_STRING | 0x390604 | 0x2d6 | empty | 0 | ||
| RT_STRING | 0x3908dc | 0x62 | empty | 0 | ||
| RT_RCDATA | 0x390940 | 0x6000 | empty | English | United States | 0 |
| RT_MESSAGETABLE | 0x38e3a4 | 0x74c | Matlab v4 mat-file (little endian) T, text, rows 200, columns 225, imaginary | English | United States | 0.30085653104925053 |
| RT_MANIFEST | 0x38eaf0 | 0x216 | ASCII text, with CRLF line terminators | 0.5411985018726592 |
| DLL | Import |
|---|---|
| KERNEL32.dll | ExitProcess |
| ole32.dll | CoCreateInstance |
| OLEAUT32.dll | SysAllocString |
| USER32.dll | CloseClipboard |
| GDI32.dll | BitBlt |
| KERNEL32.dll | HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 03/22/24-13:54:05.472247 | TCP | 2051588 | ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| 03/22/24-13:54:10.961651 | TCP | 2051588 | ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| 03/22/24-13:54:02.814250 | UDP | 2051587 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop) | 57667 | 53 | 192.168.2.4 | 1.1.1.1 |
| 03/22/24-13:54:03.114371 | TCP | 2051588 | ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| 03/22/24-13:54:09.869399 | TCP | 2051588 | ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| 03/22/24-13:54:02.910864 | UDP | 2051586 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop) | 63995 | 53 | 192.168.2.4 | 1.1.1.1 |
| 03/22/24-13:54:08.102502 | TCP | 2051588 | ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| 03/22/24-13:54:03.862026 | TCP | 2051588 | ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| 03/22/24-13:54:06.419545 | TCP | 2051588 | ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| 03/22/24-13:54:04.720277 | TCP | 2051588 | ET TROJAN Observed Lumma Stealer Related Domain (relevantvoicelesskw .shop in TLS SNI) | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| 03/22/24-13:54:03.009215 | UDP | 2051584 | ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop) | 51440 | 53 | 192.168.2.4 | 1.1.1.1 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 22, 2024 13:54:03.110776901 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.110806942 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.110888958 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.114371061 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.114389896 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.308084011 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.308224916 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.312488079 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.312505960 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.312827110 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.353223085 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.365398884 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.365426064 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.365523100 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.836723089 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.836770058 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.836796045 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.836817980 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.836819887 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.836833000 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.836860895 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.836874008 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.836932898 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.836937904 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.836949110 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.837002039 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.838841915 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.838852882 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.838884115 CET | 49732 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.838888884 CET | 443 | 49732 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.861594915 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.861637115 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.861722946 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.862025976 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:03.862036943 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.046919107 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.046996117 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.049755096 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.049765110 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.050014019 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.051899910 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.051924944 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.051975012 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530145884 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530189991 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530217886 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530252934 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.530277967 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530314922 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530329943 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.530337095 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530370951 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530392885 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.530400991 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530428886 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530441999 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.530447960 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530494928 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.530499935 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530844927 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530880928 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530889988 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.530898094 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530925035 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530935049 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.530941963 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.530982971 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.530989885 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.531004906 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.531047106 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.531548023 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.531564951 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.531574011 CET | 49733 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.531579018 CET | 443 | 49733 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.719826937 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.719861031 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.719938993 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.720277071 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.720293999 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.907758951 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.907923937 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.909526110 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.909533024 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.909780979 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.911336899 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.911494970 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.911531925 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:04.911587954 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:04.911600113 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.354271889 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.354338884 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.354410887 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.354607105 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.354623079 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.354640007 CET | 49734 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.354648113 CET | 443 | 49734 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.471735001 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.471767902 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.471868038 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.472246885 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.472261906 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.659137964 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.659337997 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.660773039 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.660780907 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.661025047 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:05.662264109 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.662405968 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:05.662441969 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.203416109 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.203547001 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.203603983 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.203706026 CET | 49735 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.203720093 CET | 443 | 49735 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.419030905 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.419070959 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.419156075 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.419544935 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.419557095 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.607126951 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.607213974 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.608557940 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.608561993 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.608844042 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.610074043 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.610204935 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.610232115 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:06.610291958 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:06.610301018 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:07.232721090 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:07.232872963 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:07.232937098 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:07.233017921 CET | 49736 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:07.233028889 CET | 443 | 49736 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:08.101994038 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:08.102034092 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:08.102104902 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:08.102502108 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:08.102515936 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:08.288368940 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:08.288444042 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:08.290083885 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:08.290091038 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:08.290332079 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:08.291508913 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:08.291635036 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:08.291661978 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:09.758755922 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:09.758887053 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:09.758944988 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:09.762588024 CET | 49737 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:09.762609005 CET | 443 | 49737 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:09.868681908 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:09.868722916 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:09.868827105 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:09.869399071 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:09.869410992 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.053823948 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.053898096 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.055813074 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.055819988 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.056066036 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.057985067 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.058207035 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.058212996 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.502278090 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.502393007 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.502481937 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.502826929 CET | 49738 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.502840042 CET | 443 | 49738 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.961174965 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.961210012 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:10.961277962 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.961651087 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:10.961664915 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.147627115 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.147730112 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.150871992 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.150882006 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.151127100 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.152529955 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.153553009 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.153584957 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.153661966 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.153692007 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.153780937 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.153846979 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.153949022 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.153980970 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.154098034 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.154129028 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.154252052 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.154275894 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.154284000 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.154299974 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.154408932 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.154438972 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.154459953 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.154601097 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.154629946 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.200237036 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.200412035 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.200436115 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.200457096 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.200474977 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:11.200515032 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:11.200541019 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:20.463917971 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:20.464025974 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Mar 22, 2024 13:54:20.464103937 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:20.466329098 CET | 49739 | 443 | 192.168.2.4 | 172.67.147.173 |
| Mar 22, 2024 13:54:20.466347933 CET | 443 | 49739 | 172.67.147.173 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 22, 2024 13:54:02.814249992 CET | 57667 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 22, 2024 13:54:02.906362057 CET | 53 | 57667 | 1.1.1.1 | 192.168.2.4 |
| Mar 22, 2024 13:54:02.910864115 CET | 63995 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 22, 2024 13:54:03.004045010 CET | 53 | 63995 | 1.1.1.1 | 192.168.2.4 |
| Mar 22, 2024 13:54:03.009215117 CET | 51440 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 22, 2024 13:54:03.104690075 CET | 53 | 51440 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 22, 2024 13:54:02.814249992 CET | 192.168.2.4 | 1.1.1.1 | 0xcf02 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 22, 2024 13:54:02.910864115 CET | 192.168.2.4 | 1.1.1.1 | 0xbc14 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 22, 2024 13:54:03.009215117 CET | 192.168.2.4 | 1.1.1.1 | 0x95ac | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 22, 2024 13:54:02.906362057 CET | 1.1.1.1 | 192.168.2.4 | 0xcf02 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 22, 2024 13:54:03.004045010 CET | 1.1.1.1 | 192.168.2.4 | 0xbc14 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Mar 22, 2024 13:54:03.104690075 CET | 1.1.1.1 | 192.168.2.4 | 0x95ac | No error (0) | 172.67.147.173 | A (IP address) | IN (0x0001) | false | ||
| Mar 22, 2024 13:54:03.104690075 CET | 1.1.1.1 | 192.168.2.4 | 0x95ac | No error (0) | 104.21.33.178 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49732 | 172.67.147.173 | 443 | 7264 | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-22 12:54:03 UTC | 271 | OUT | |
| 2024-03-22 12:54:03 UTC | 8 | OUT | |
| 2024-03-22 12:54:03 UTC | 571 | IN | |
| 2024-03-22 12:54:03 UTC | 798 | IN | |
| 2024-03-22 12:54:03 UTC | 1369 | IN | |
| 2024-03-22 12:54:03 UTC | 1369 | IN | |
| 2024-03-22 12:54:03 UTC | 872 | IN | |
| 2024-03-22 12:54:03 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49733 | 172.67.147.173 | 443 | 7264 | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-22 12:54:04 UTC | 361 | OUT | |
| 2024-03-22 12:54:04 UTC | 49 | OUT | |
| 2024-03-22 12:54:04 UTC | 824 | IN | |
| 2024-03-22 12:54:04 UTC | 545 | IN | |
| 2024-03-22 12:54:04 UTC | 1369 | IN | |
| 2024-03-22 12:54:04 UTC | 1369 | IN | |
| 2024-03-22 12:54:04 UTC | 1369 | IN | |
| 2024-03-22 12:54:04 UTC | 1369 | IN | |
| 2024-03-22 12:54:04 UTC | 1369 | IN | |
| 2024-03-22 12:54:04 UTC | 1369 | IN | |
| 2024-03-22 12:54:04 UTC | 1369 | IN | |
| 2024-03-22 12:54:04 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49734 | 172.67.147.173 | 443 | 7264 | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-22 12:54:04 UTC | 379 | OUT | |
| 2024-03-22 12:54:04 UTC | 15331 | OUT | |
| 2024-03-22 12:54:04 UTC | 4165 | OUT | |
| 2024-03-22 12:54:05 UTC | 829 | IN | |
| 2024-03-22 12:54:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49735 | 172.67.147.173 | 443 | 7264 | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-22 12:54:05 UTC | 378 | OUT | |
| 2024-03-22 12:54:05 UTC | 9606 | OUT | |
| 2024-03-22 12:54:06 UTC | 814 | IN | |
| 2024-03-22 12:54:06 UTC | 23 | IN | |
| 2024-03-22 12:54:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49736 | 172.67.147.173 | 443 | 7264 | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-22 12:54:06 UTC | 379 | OUT | |
| 2024-03-22 12:54:06 UTC | 15331 | OUT | |
| 2024-03-22 12:54:06 UTC | 5101 | OUT | |
| 2024-03-22 12:54:07 UTC | 812 | IN | |
| 2024-03-22 12:54:07 UTC | 23 | IN | |
| 2024-03-22 12:54:07 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49737 | 172.67.147.173 | 443 | 7264 | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-22 12:54:08 UTC | 378 | OUT | |
| 2024-03-22 12:54:08 UTC | 7077 | OUT | |
| 2024-03-22 12:54:09 UTC | 810 | IN | |
| 2024-03-22 12:54:09 UTC | 23 | IN | |
| 2024-03-22 12:54:09 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49738 | 172.67.147.173 | 443 | 7264 | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-22 12:54:10 UTC | 378 | OUT | |
| 2024-03-22 12:54:10 UTC | 1409 | OUT | |
| 2024-03-22 12:54:10 UTC | 812 | IN | |
| 2024-03-22 12:54:10 UTC | 23 | IN | |
| 2024-03-22 12:54:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49739 | 172.67.147.173 | 443 | 7264 | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-03-22 12:54:11 UTC | 380 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:11 UTC | 15331 | OUT | |
| 2024-03-22 12:54:20 UTC | 806 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 09:54:00 |
| Start date: | 22/03/2024 |
| Path: | C:\Users\user\Desktop\Ag3ijL3z1w.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x60000 |
| File size: | 2'444'904 bytes |
| MD5 hash: | 038F01C7AB34D20394B657CE5D5F3152 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 43.4% |
| Total number of Nodes: | 258 |
| Total number of Limit Nodes: | 13 |
Graph
Function 000695E0 Relevance: 17.9, Strings: 14, Instructions: 422COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00095440 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146nativememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00064640 Relevance: 5.5, Strings: 4, Instructions: 490COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00095640 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00095BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00095940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00078E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00074F69 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176encryptionCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00092C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000820C1 Relevance: 3.2, APIs: 2, Instructions: 178COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0009286A Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000927F1 Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000927AF Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0007390E Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00090EBB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00090D33 Relevance: 1.6, APIs: 1, Instructions: 111memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00086265 Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00092E56 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00093396 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000931B5 Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0009423D Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0007CB80 Relevance: 12.8, Strings: 10, Instructions: 261COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00080F04 Relevance: 11.3, APIs: 4, Strings: 2, Instructions: 802nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0007A880 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00061700 Relevance: 9.3, Strings: 7, Instructions: 578COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00096400 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 319nativememoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00086D8E Relevance: 9.0, Strings: 7, Instructions: 247COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0007A762 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00095AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00072277 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0007C765 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73nativememoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00072F77 Relevance: 3.4, APIs: 2, Instructions: 404COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00065477 Relevance: 3.0, Strings: 2, Instructions: 501COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00065717 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00065A3C Relevance: 2.7, Strings: 2, Instructions: 222COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 002DDCD6 Relevance: 2.6, Strings: 2, Instructions: 108COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00063C6F Relevance: 1.6, Strings: 1, Instructions: 322COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000664F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0011A824 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0006FDB0 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00077A8C Relevance: 1.4, Strings: 1, Instructions: 126COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00070E43 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00067B20 Relevance: .8, Instructions: 834COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00065F30 Relevance: .5, Instructions: 497COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0007F3FD Relevance: .4, Instructions: 409COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00082382 Relevance: .4, Instructions: 396COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00073A27 Relevance: .4, Instructions: 386COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000668B4 Relevance: .4, Instructions: 375COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0008EF80 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00092156 Relevance: .1, Instructions: 148COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00062E70 Relevance: .1, Instructions: 95COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00094FB2 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0008D620 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00080D8E Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000705BD Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0007561D Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000952C9 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0006D1C0 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0013E70F Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0006FA72 Relevance: .0, Instructions: 16COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0007CB43 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0006FA7F Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000719E7 Relevance: .0, Instructions: 11COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00094489 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00093458 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |