Windows
Analysis Report
RrHuyQ4GzG.exe
Overview
General Information
Sample name: | RrHuyQ4GzG.exerenamed because original name is a hash value |
Original sample name: | 6ac50f7457396de4520f8220f46c7756.exe |
Analysis ID: | 1429055 |
MD5: | 6ac50f7457396de4520f8220f46c7756 |
SHA1: | 4a1f490ceafdbefb97f52340d3a7b876eb7e3677 |
SHA256: | d040b1cad2d958a927b1a5552e455a2de58c2379b65050a853f383df9836f5b5 |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- RrHuyQ4GzG.exe (PID: 7508 cmdline:
"C:\Users\ user\Deskt op\RrHuyQ4 GzG.exe" MD5: 6AC50F7457396DE4520F8220F46C7756)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "incredibleextedwj.shop"], "Build id": "jgGZsr--Kirien"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Credential API Hooking | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | 1 Credential API Hooking | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
20% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
1% | Virustotal | Browse | ||
9% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
11% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
incredibleextedwj.shop | 104.21.86.106 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
false |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | unknown | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false |
| unknown | ||
false | unknown | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.86.106 | incredibleextedwj.shop | United States | 13335 | CLOUDFLARENETUS | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1429055 |
Start date and time: | 2024-04-20 13:26:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | RrHuyQ4GzG.exerenamed because original name is a hash value |
Original Sample Name: | 6ac50f7457396de4520f8220f46c7756.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@1/0@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
13:27:03 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | MicroClip | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RisePro Stealer | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
File type: | |
Entropy (8bit): | 7.897751939317777 |
TrID: |
|
File name: | RrHuyQ4GzG.exe |
File size: | 7'656'696 bytes |
MD5: | 6ac50f7457396de4520f8220f46c7756 |
SHA1: | 4a1f490ceafdbefb97f52340d3a7b876eb7e3677 |
SHA256: | d040b1cad2d958a927b1a5552e455a2de58c2379b65050a853f383df9836f5b5 |
SHA512: | 47e8bd5f596278006caa5ff9189706e02a966042001d5ac6e1a55db48417f2c47840714f8e0a10e7cdd58458460c66d4737cc58b7ce34d245dbeb5e244e50c53 |
SSDEEP: | 196608:aES43V86djD0D9o8pP5mVuVHDkFNiPxVJ+Gk:h2YcpokxmkZ46JVJe |
TLSH: | E876239A2D8B44D6E9C208B0A72BBBE3037319DFA9D84C352EC07049B471F76657AD53 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...0.!f............................p.............@.................................e^u...@.................................\EU.... |
Icon Hash: | 29226ee6b692c62f |
Entrypoint: | 0xe81d70 |
Entrypoint Section: | 2 |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66211930 [Thu Apr 18 12:59:28 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 9d119e2e17a860783c22ad990de068eb |
Signature Valid: | false |
Signature Issuer: | CN=AVG Technologies USA LLC \u2122\u2030\u2122\u2030\u2122\u2030 |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 27F5DD79C86B9255242DDB29A51B691E |
Thumbprint SHA-1: | 44268FBAA5D87BA1717C7237701B06FA20E9AF66 |
Thumbprint SHA-256: | 1C39A7BBBC7445339DEFD55E21DFA65CDEB9037F0FD33140759077C31CB40BE0 |
Serial: | 59AE1233E1806897438DF0EEC7051E17 |
Instruction |
---|
call 00007FC914B23009h |
not edx |
ror edx, 03h |
neg edx |
push 79066E18h |
push 0C3E1102h |
xor edx, D7870B91h |
mov ecx, 0A203096h |
neg edx |
or dword ptr [esp+ecx*4-2880C256h], ecx |
pop ecx |
xor ebx, edx |
neg ecx |
bts ecx, ecx |
movsx eax, cx |
add esi, edx |
sar word ptr [esp+00h], 0003h |
bswap eax |
mov ax, word ptr [ebp+00h] |
mov edx, B3024C26h |
push edx |
imul ecx, edx |
mov dx, word ptr [ebp+02h] |
push ecx |
adc ebp, 00000001h |
shr cx, 0064h |
sbb byte ptr [esp+07h], 00000009h |
not ax |
rol ecx, cl |
neg cx |
xchg dword ptr [esp+08h], ecx |
not dx |
mov dword ptr [esp+0Ch], ecx |
add dword ptr [esp+0Ah], ecx |
or ax, dx |
add cl, byte ptr [esp+0Bh] |
mov word ptr [ebp+00h], ax |
lea edx, dword ptr [ecx+ecx*8-414A3266h] |
rol cl, FFFFFFC1h |
call 00007FC9150F955Ah |
and edx, dword ptr [esp+edx*2-262D6310h] |
ror cx, 1 |
dec cx |
lea eax, dword ptr [edx+edx*4-047C037Fh] |
rol dx, FFA6h |
sar dword ptr [esp+edx-1316622Ch], FFFFFFCCh |
ror cx, 1 |
dec dx |
mul edx |
sal dl, 00000023h |
xor bx, cx |
mov dword ptr [esp+edx*2+006FA880h], eax |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x55455c | 0xa0 | 2 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xbe6000 | 0x6bbe | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x74bc00 | 0x18f8 | 2 |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xbe5000 | 0x638 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4a0000 | 0x4c | 1 |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x3aa81 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3c000 | 0x28fb | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3f000 | 0xa980 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
0 | 0x4a000 | 0x455c7c | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
1 | 0x4a0000 | 0x3dc | 0x400 | ac0451cae294259f9a0960093116e58d | False | 0.0673828125 | data | 0.3732696603346658 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
2 | 0x4a1000 | 0x744000 | 0x744000 | bea8a1e034385366bbef82dfe3ca64b9 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0xbe5000 | 0x638 | 0x800 | d63e3f65e2e94daa6d1bd875caa74ee1 | False | 0.4228515625 | GLS_BINARY_LSB_FIRST | 3.6147834027787398 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xbe6000 | 0x6bbe | 0x6c00 | d1863c0fc436e1d4b8f0253c2a6f437e | False | 0.5274522569444444 | data | 5.974715584215555 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xbe6268 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | 0.23902439024390243 | ||
RT_ICON | 0xbe68d0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | 0.38306451612903225 | ||
RT_ICON | 0xbe6bb8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | 0.597972972972973 | ||
RT_ICON | 0xbe6ce0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | 0.6084754797441365 | ||
RT_ICON | 0xbe7b88 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.8172382671480144 | ||
RT_ICON | 0xbe8430 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | 0.7276011560693642 | ||
RT_ICON | 0xbe8998 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | 0.4179460580912863 | ||
RT_ICON | 0xbeaf40 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | 0.6719043151969981 | ||
RT_ICON | 0xbebfe8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | 0.8315602836879432 | ||
RT_GROUP_ICON | 0xbec450 | 0x84 | data | 0.6363636363636364 | ||
RT_MANIFEST | 0xbec4d4 | 0x6ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | English | United States | 0.41694915254237286 |
DLL | Import |
---|---|
KERNEL32.dll | ExitProcess |
OLEAUT32.dll | SysAllocString |
ole32.dll | CoCreateInstance |
USER32.dll | CloseClipboard |
GDI32.dll | BitBlt |
KERNEL32.dll | GetSystemTimeAsFileTime |
KERNEL32.dll | HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 20, 2024 13:27:02.991661072 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:02.991693020 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:02.991806984 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.002907991 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.002928019 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.231676102 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.231935024 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.237484932 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.237495899 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.237896919 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.290801048 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.321626902 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.321660995 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.321978092 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.765461922 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.765583992 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.765650988 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.767455101 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.767468929 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.767494917 CEST | 49732 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.767498970 CEST | 443 | 49732 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.771338940 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.771363020 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.771508932 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.771922112 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.771931887 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.990796089 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.991070986 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.993860006 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:03.993874073 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:03.994203091 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.003581047 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.003581047 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.003688097 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568134069 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568213940 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568245888 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568264008 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.568280935 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568320036 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.568325996 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568339109 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568383932 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568384886 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.568393946 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568443060 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.568451881 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568697929 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568737984 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568739891 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.568747997 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568783998 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.568809986 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568880081 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.568923950 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.569103003 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.569123030 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.569139957 CEST | 49733 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.569145918 CEST | 443 | 49733 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.674922943 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.674962044 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.675041914 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.675380945 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.675391912 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.896754026 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.896833897 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.898129940 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.898135900 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.898452997 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.899681091 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.899820089 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.899842978 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:04.899915934 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:04.899923086 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.449254990 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.449393988 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.449457884 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.449598074 CEST | 49734 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.449613094 CEST | 443 | 49734 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.540632010 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.540671110 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.540760040 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.541157961 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.541172028 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.759438038 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.759577036 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.761388063 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.761400938 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.761739016 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:05.763335943 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.763503075 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:05.763534069 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.281204939 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.281296015 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.281373978 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.281547070 CEST | 49735 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.281569004 CEST | 443 | 49735 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.453142881 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.453191996 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.453284025 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.453722000 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.453739882 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.681066036 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.681209087 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.682782888 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.682804108 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.683594942 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.685053110 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.685307980 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.685380936 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:06.685473919 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:06.685488939 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:07.220552921 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:07.220868111 CEST | 443 | 49736 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:07.220957994 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.220957994 CEST | 49736 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.454931974 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.454977036 CEST | 443 | 49737 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:07.455056906 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.455393076 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.455418110 CEST | 443 | 49737 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:07.678567886 CEST | 443 | 49737 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:07.678658962 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.680037975 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.680063963 CEST | 443 | 49737 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:07.680421114 CEST | 443 | 49737 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:07.681801081 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.682216883 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:07.682260036 CEST | 443 | 49737 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.193986893 CEST | 443 | 49737 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.194276094 CEST | 443 | 49737 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.194283009 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.194341898 CEST | 49737 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.257571936 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.257620096 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.257694960 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.258013964 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.258028984 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.483793974 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.484184980 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.485327959 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.485352039 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.486325026 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.487488031 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.487633944 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.487657070 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.992181063 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.992522001 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:08.992620945 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.992706060 CEST | 49738 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:08.992749929 CEST | 443 | 49738 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.597812891 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.597907066 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.598006964 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.598407984 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.598442078 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.825284004 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.825517893 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.826682091 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.826735020 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.827158928 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.828377962 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.829165936 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.829221010 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.829369068 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.829412937 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.829552889 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.829596996 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.829787016 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.829847097 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.830070019 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.830141068 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.830391884 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.830450058 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.830476999 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.830507994 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.830651999 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.830699921 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.830749035 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.830845118 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.830899954 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.872133970 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.872591972 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.872709990 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.872800112 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.920134068 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:09.920516014 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.947293997 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:09.947359085 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:13.302175999 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:13.302485943 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Apr 20, 2024 13:27:13.302620888 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:13.303299904 CEST | 49739 | 443 | 192.168.2.4 | 104.21.86.106 |
Apr 20, 2024 13:27:13.303344965 CEST | 443 | 49739 | 104.21.86.106 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 20, 2024 13:27:02.865027905 CEST | 54730 | 53 | 192.168.2.4 | 1.1.1.1 |
Apr 20, 2024 13:27:02.985547066 CEST | 53 | 54730 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 20, 2024 13:27:02.865027905 CEST | 192.168.2.4 | 1.1.1.1 | 0x2fdc | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 20, 2024 13:27:02.985547066 CEST | 1.1.1.1 | 192.168.2.4 | 0x2fdc | No error (0) | 104.21.86.106 | A (IP address) | IN (0x0001) | false | ||
Apr 20, 2024 13:27:02.985547066 CEST | 1.1.1.1 | 192.168.2.4 | 0x2fdc | No error (0) | 172.67.218.63 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49732 | 104.21.86.106 | 443 | 7508 | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 11:27:03 UTC | 269 | OUT | |
2024-04-20 11:27:03 UTC | 8 | OUT | |
2024-04-20 11:27:03 UTC | 802 | IN | |
2024-04-20 11:27:03 UTC | 7 | IN | |
2024-04-20 11:27:03 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49733 | 104.21.86.106 | 443 | 7508 | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 11:27:04 UTC | 270 | OUT | |
2024-04-20 11:27:04 UTC | 55 | OUT | |
2024-04-20 11:27:04 UTC | 806 | IN | |
2024-04-20 11:27:04 UTC | 563 | IN | |
2024-04-20 11:27:04 UTC | 728 | IN | |
2024-04-20 11:27:04 UTC | 1369 | IN | |
2024-04-20 11:27:04 UTC | 1369 | IN | |
2024-04-20 11:27:04 UTC | 1369 | IN | |
2024-04-20 11:27:04 UTC | 1369 | IN | |
2024-04-20 11:27:04 UTC | 1369 | IN | |
2024-04-20 11:27:04 UTC | 1369 | IN | |
2024-04-20 11:27:04 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49734 | 104.21.86.106 | 443 | 7508 | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 11:27:04 UTC | 288 | OUT | |
2024-04-20 11:27:04 UTC | 15331 | OUT | |
2024-04-20 11:27:04 UTC | 2833 | OUT | |
2024-04-20 11:27:05 UTC | 812 | IN | |
2024-04-20 11:27:05 UTC | 20 | IN | |
2024-04-20 11:27:05 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49735 | 104.21.86.106 | 443 | 7508 | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 11:27:05 UTC | 287 | OUT | |
2024-04-20 11:27:05 UTC | 8785 | OUT | |
2024-04-20 11:27:06 UTC | 806 | IN | |
2024-04-20 11:27:06 UTC | 20 | IN | |
2024-04-20 11:27:06 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.4 | 49736 | 104.21.86.106 | 443 | 7508 | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 11:27:06 UTC | 288 | OUT | |
2024-04-20 11:27:06 UTC | 15331 | OUT | |
2024-04-20 11:27:06 UTC | 5107 | OUT | |
2024-04-20 11:27:07 UTC | 808 | IN | |
2024-04-20 11:27:07 UTC | 20 | IN | |
2024-04-20 11:27:07 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.4 | 49737 | 104.21.86.106 | 443 | 7508 | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 11:27:07 UTC | 287 | OUT | |
2024-04-20 11:27:07 UTC | 5451 | OUT | |
2024-04-20 11:27:08 UTC | 810 | IN | |
2024-04-20 11:27:08 UTC | 20 | IN | |
2024-04-20 11:27:08 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.4 | 49738 | 104.21.86.106 | 443 | 7508 | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 11:27:08 UTC | 287 | OUT | |
2024-04-20 11:27:08 UTC | 1407 | OUT | |
2024-04-20 11:27:08 UTC | 800 | IN | |
2024-04-20 11:27:08 UTC | 20 | IN | |
2024-04-20 11:27:08 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.4 | 49739 | 104.21.86.106 | 443 | 7508 | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-20 11:27:09 UTC | 289 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:09 UTC | 15331 | OUT | |
2024-04-20 11:27:13 UTC | 806 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 13:27:00 |
Start date: | 20/04/2024 |
Path: | C:\Users\user\Desktop\RrHuyQ4GzG.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf60000 |
File size: | 7'656'696 bytes |
MD5 hash: | 6AC50F7457396DE4520F8220F46C7756 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |