Edit tour
Windows
Analysis Report
lnst#U0430Il#U0435r86x.exe
Overview
General Information
| Sample name: | lnst#U0430Il#U0435r86x.exerenamed because original name is a hash value |
| Original sample name: | lnstIlr86x.exe |
| Analysis ID: | 1616305 |
| MD5: | 80366ac1383e6415790b9993205efb78 |
| SHA1: | 8a236d9587e844df67b3ed756d9e5c8753843281 |
| SHA256: | ce2d57e8cb34eff0c7d2a11895626e216b4ee7075eaaad279faa82e6242dba9c |
| Tags: | AutoITexeLummaStealeruser-aachum |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
lnst#U0430Il#U0435r86x.exe (PID: 7060 cmdline: "C:\Users\ user\Deskt op\lnst#U0 430Il#U043 5r86x.exe" MD5: 80366AC1383E6415790B9993205EFB78) 
cmd.exe (PID: 6344 cmdline: "C:\Window s\system32 \cmd.exe" /c expand Meyer.pps Meyer.pps. bat & Meye r.pps.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
expand.exe (PID: 2000 cmdline: expand Mey er.pps Mey er.pps.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51) - tasklist.exe (PID: 180 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 5696 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 3592 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 736 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 2256 cmdline:
cmd /c md 670499 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - extrac32.exe (PID: 5408 cmdline:
extrac32 / Y /E Notes .pps MD5: 9472AAB6390E4F1431BAA912FCFF9707) - findstr.exe (PID: 5164 cmdline:
findstr /V "Postal" Warnings MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 4916 cmdline:
cmd /c cop y /b 67049 9\Consider ing.com + Typically + Longitud e + Nikon + Bumper + Tire + Ni ck + Tunis ia + Festi vals + Rab bit 670499 \Consideri ng.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 1184 cmdline:
cmd /c cop y /b ..\Ce lebs.pps + ..\Harves t.pps + .. \Come.pps + ..\Ban.p ps + ..\Sp ain.pps + ..\Irrigat ion.pps + ..\Communi cate.pps J MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Considering.com (PID: 6484 cmdline: Considerin g.com J MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 7152 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
{"C2 url": ["jookerkslxsafkr.xyz", "shiningrstars.help", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "2WC8gB--megalutzalut"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 2 entries | ||||
HIPS / PFW / Operating System Protection Evasion |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-16T14:31:56.565055+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49737 | 149.154.167.99 | 443 | TCP |
| 2025-02-16T14:31:57.366183+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:31:58.312583+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49739 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:31:59.571736+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49740 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:00.934348+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49741 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:02.235872+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49742 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:03.542781+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49743 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:04.869173+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49744 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:06.981568+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49745 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-16T14:31:57.837448+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:31:58.813045+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49739 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:07.428898+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49745 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-16T14:31:57.837448+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-16T14:32:01.695144+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49741 | 188.114.97.3 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00406301 | |
| Source: | Code function: | 0_2_00406CC7 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | DNS query: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_004050F9 | |
| Source: | Code function: | 0_2_004044D1 | |
| Source: | Code function: | 0_2_004038AF | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040737E | |
| Source: | Code function: | 0_2_00406EFE | |
| Source: | Code function: | 0_2_004079A2 | |
| Source: | Code function: | 0_2_004049A8 | |
| Source: | Dropped File: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_004044D1 | |
| Source: | Code function: | 0_2_004024FB | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00406328 | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00406301 | |
| Source: | Code function: | 0_2_00406CC7 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406328 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406831 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | 121 Windows Management Instrumentation | 1 Scripting | 12 Process Injection | 11 Masquerading | 2 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 11 Input Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 11 Input Capture | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | 31 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 13 File and Directory Discovery | Distributed Component Object Model | 1 Clipboard Data | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 25 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 28% | Virustotal | Browse | ||
| 30% | ReversingLabs |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| jookerkslxsafkr.xyz | 188.114.97.3 | true | true | unknown | |
| t.me | 149.154.167.99 | true | false | high | |
| TNBFkotxhoPtfkcmNcPt.TNBFkotxhoPtfkcmNcPt | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown | |
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 188.114.97.3 | jookerkslxsafkr.xyz | European Union | 13335 | CLOUDFLARENETUS | true | |
| 149.154.167.99 | t.me | United Kingdom | 62041 | TELEGRAMRU | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1616305 |
| Start date and time: | 2025-02-16 14:30:26 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 12s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 18 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | lnst#U0430Il#U0435r86x.exerenamed because original name is a hash value |
| Original Sample Name: | lnstIlr86x.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@28/23@3/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 08:31:57 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 188.114.97.3 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| 149.154.167.99 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Cinoshi Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| t.me | Get hash | malicious | Vidar | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | Vidar | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | DBatLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | ACR Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | CobaltStrike, Metasploit | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | CobaltStrike, Metasploit | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\670499\Considering.com | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 947288 |
| Entropy (8bit): | 6.630612696399572 |
| Encrypted: | false |
| SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
| MD5: | 62D09F076E6E0240548C2F837536A46A |
| SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
| SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
| SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 495088 |
| Entropy (8bit): | 7.999620097462215 |
| Encrypted: | true |
| SSDEEP: | 12288:silXPlLLuoEH51Hj7dTrQSNLLMr7cTuBwLG:sQdLOZFndTrvLOh |
| MD5: | 570CD10898951C67920E4F434E329970 |
| SHA1: | E11677D9FE85DCF017444C4B55A46988C6A03A04 |
| SHA-256: | 2BD892D44D0C2AC114866B5D5C060E4ACA6F47AB405F8B89EBA4AEE27BE4F411 |
| SHA-512: | F07101A13F1E1830C7B33F1F4D31BD53B785CF802D97A1788085579B975CD692584C56F5E7DFAD655201DDEBFF933C563B5CEE1DA8EC7B00B8D7396F81040D7B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 70656 |
| Entropy (8bit): | 7.997487053777007 |
| Encrypted: | true |
| SSDEEP: | 1536:ivuLgRWjzg0NWnHB7wnCIydea7B1pAdN9jVjoEc2jDTRB:6cjzg0Ny1wLyU4j09tciTRB |
| MD5: | 68C059795CE45CC624DD5BFC318BA718 |
| SHA1: | 038C6B33572C7297E3C052A1A8D2EC28B4CFB4DD |
| SHA-256: | 4AF5547E4E468E14703A032890727FC7DD64DE1942AEF252994E9EBE3E883BC8 |
| SHA-512: | 0FC23F6B357EB45127BF4779E93C463173066EF31365516D6CBABA0A6638778AC230DF4C3CDD4AF8A94B7379AF78F16E32BDE1761A16608330FEBBD9DCE14CB9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 142336 |
| Entropy (8bit): | 6.703336639336261 |
| Encrypted: | false |
| SSDEEP: | 3072:jBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQQ:jL/sZ7HS3zcNPj0nEo3tb2I |
| MD5: | 6DB95C56F22F3377397FCD1B73BD13C4 |
| SHA1: | 7C7F55394570606418C09E4A7119920D57671FA2 |
| SHA-256: | E78565A604919FD3E971E3761DFC4A46FA6304300985DC5BCDB03D497A801822 |
| SHA-512: | 66E6CC0AC968D9E54569AD1BB51987055A3DCBCC83E68ABDF6277880C0057F3ECE074C96AE9E78E9C576EC147419102CA426943256D4CBB8B23A601C29B7D2C6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 61440 |
| Entropy (8bit): | 7.996761913099477 |
| Encrypted: | true |
| SSDEEP: | 768:k/GOp4/xPJC545ObkjRjNArKyvTdJ/mh00uTxchYM50eJ/D2J5qYeiWJseJ:zo4ZJCy5DArH+xScxb2iYeiWdJ |
| MD5: | E40163F420B3CC0989723D60911BD280 |
| SHA1: | 21EBFCA06F754879D11DBF6217B1B63D456BE58A |
| SHA-256: | 4C7FA551CDD3F77864E8228172E5CC1E633012B0E0379A76118B5CDA0DEE5FB2 |
| SHA-512: | 3B9AF36D3B2FA797AD18DD3611FA93A309FA6102A78303889CF9C73BCA5F3751CE50A683D6A6FEC673E7D30C02AF2A0E66E4AED431B73691747DF34AEC927AF2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 91136 |
| Entropy (8bit): | 7.997803731790024 |
| Encrypted: | true |
| SSDEEP: | 1536:2AShp1WHFMMZ6fmx0UjS6q6vE0BVg3sqaZZEtUp+mvD26kZkX/w:LS4HF7Z7D9JM0jJ1w2AZko |
| MD5: | F468C5EC8AC521E917AD9E5F46582F45 |
| SHA1: | C1E03293E1DAC5028AAB84C5BB7946C4E1760514 |
| SHA-256: | 7DC177CCFBF9968085CE0D747DBA3C713B43846BAC65369CE272ACB5D7B4F64A |
| SHA-512: | 454239EDC552F319565F85EAF680A3586D03BF1787CB5973CFD6894E43650A078A4D5A342BF3C92AA8C3F3E20D4A622DDAC7609E07B3F3A546A014C1CB9DA3DD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 66032 |
| Entropy (8bit): | 7.996977648102808 |
| Encrypted: | true |
| SSDEEP: | 1536:yjkGJRlr1QrRW6pOGxr0yE5R9tPFKOyfWwBFCKZCw3KFQ6H9:S7hf6pTxrWXDyOwLCsar |
| MD5: | 5569C2066408E890F51A8DE897551874 |
| SHA1: | CE9D33B6DA170A57A4342F20B83E599943A157AA |
| SHA-256: | 2D6DBE3D4BEAB8BA18EAC1CC95F0DBD7202C964DB0D04E8775D8387D4DEFE17E |
| SHA-512: | EED758A73C26532110DDFCF8689AA1FB61F246FFB0AC89A5575864E448FA3D469A93A489BD66AC946BF4D5A0A2DC0AC14517BD183254B134A443FE409A7B1609 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 103424 |
| Entropy (8bit): | 5.78116078668692 |
| Encrypted: | false |
| SSDEEP: | 1536:agarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiN:agarB/5elDWy4ZNoGmROL7F1Gq |
| MD5: | 1FF437DA535A9249D0C86151D60891D0 |
| SHA1: | EA7C34E9EFEEB6E868E47B36BA74B66909B8EE42 |
| SHA-256: | 3B8619CB77FA860368E7DABF3E5C3F83501B352F232245FFEE66B9ACD4048EEC |
| SHA-512: | 083C847557F6A1CEF4BF9A4F96A6593EBE5E4E29E1457C54FE6DAEEC04F53273FA4DD572C594F2CA28E689230194504A7E4381B306F9FA8A55BC9C74EFC61487 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 68608 |
| Entropy (8bit): | 7.997376329245828 |
| Encrypted: | true |
| SSDEEP: | 1536:/FmlUKDW5YtabSyu/BnbvCTQ0nKOnM8J5LgfqczED:46yaluB2iOnO7zK |
| MD5: | DDFE95551DE3406508B25F52E923B8C4 |
| SHA1: | 0934538A1B4583ED9784A2A49018C6820748413E |
| SHA-256: | BD3008B2AFD0E6EADAAC77007124EDB9307C375B455A635972A4CEB9492D3A8A |
| SHA-512: | B647AF7E18C33369379B42B2DCA67AAE20995EE10F93AB38CB1C1A27230B39E78BBA7DEB2F80EC37542347EB0E250F482D58DA816A89F50C7C16D8A194D5C17B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 75776 |
| Entropy (8bit): | 7.997495135594017 |
| Encrypted: | true |
| SSDEEP: | 1536:gouyiKjbBwv4wT5wCUgqd95x68+vB/hgxvckFT8HadpqJG0Q2ORLqfaFJ82zYbhO:XzHfo4c5wxbhx68q+ckFZpiGT2oLLM2J |
| MD5: | B291FF232D9960D91593063270EA4210 |
| SHA1: | BD31CFECE5BCE9C5B0E44636E2F50870680E5D3E |
| SHA-256: | A665D0E71658985977F991B47513A84AAA12AA7FA36B6A961F2A481805711DED |
| SHA-512: | 2C5F93019194F38F34CBDA4E071F93B63678D9145D45A79743C6E26E9BDD88E4041F06D6141A82B3F7744081D38760B0B8607EF660340EE6C2CE3599B21B58F1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 54272 |
| Entropy (8bit): | 6.609486502576525 |
| Encrypted: | false |
| SSDEEP: | 1536:/2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcy:kcBiqXvpgF4qv+32eOyKy |
| MD5: | 0F4BCC96E138768F57EB17F1DA5F50F8 |
| SHA1: | 22C872FA8E613714636D006E65B7E88EC5963398 |
| SHA-256: | 3A5E9680285485064FCCBB0CFA4D6AAC061D9B823E8D462EAA75FC803FE6F253 |
| SHA-512: | 49736BD70BF2B9A32B34B379D971C3D81985174A04400D3D6AE8EAAA710185DFD2BC6FE5C77ADC2F4F32F157E5170646804053751FE23E875CFC272B160B6F6F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 13891 |
| Entropy (8bit): | 5.114310451313887 |
| Encrypted: | false |
| SSDEEP: | 192:Mb6mjua6fGGcoO+EeyH2Dgj9CQ91oVA9sz/qGshLlAM97wAJMOuXn/oE:Mz6fBA2DgroV7iL5977iTX/B |
| MD5: | 5550C364259312F7447A4D9B9836E3B9 |
| SHA1: | 4418F35EC955ECB1FA4E5D98B2CF2DF7EFB97E3A |
| SHA-256: | FB9E1010E6EC66A192B3F991C6CB89CF0207E4909E8A0958155E46C5BBF757DD |
| SHA-512: | 259BB9C8D5D37DC63DA0870952D7C62C04A38DE0EE7B4983BDD1E099736C839033F96C51FF325FE335D2FADDAE25C660FA2C5CE1F3151520E190F00A2F08912E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 135168 |
| Entropy (8bit): | 6.142312621649862 |
| Encrypted: | false |
| SSDEEP: | 3072:H/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbjaAtsW:H/Dd314V14ZgP0JaAOz04phdyW |
| MD5: | C87CD7C99598C967DB52E7F5F4122FC3 |
| SHA1: | CE255D6341959F09B34E394CFC8AB9631A001438 |
| SHA-256: | 7EBE4E5DA25E1F5E186F3938C35E4CBFA6B858FEF0530524D5D8DD58CC69CB30 |
| SHA-512: | FE3C88BC36D0CC4724AC569F7846FABD734C25FEBC0E1F9D74DF83F868160A3BEBAAB142FE8B590D2DC4271458E1DCD20FBA4CAA651322CE130951C74212301A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 106496 |
| Entropy (8bit): | 6.709156821132373 |
| Encrypted: | false |
| SSDEEP: | 1536:oSDOSpZ+Sh+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJuv:7DOSpQSAU4CE0Imbi80PtCZEMnVIPT |
| MD5: | 643D1F830A8C35A266F04FDC44DB61DF |
| SHA1: | FD6BED229941310A6C5CF52EDEA93D44D7C35F63 |
| SHA-256: | 0A2F5AA3F1B10B94E0D92E5F023C60536646EF26B4C77D73DB17E18355106BC1 |
| SHA-512: | 095A3FFA9A0F41543EC1FFE9CAA33A8683698FC278EB05C9D24519565187FCB01D0F76A50DF2ECD640CC344B2F3AD358B25C891D4C292D53DEC6FD17517D0B56 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 490275 |
| Entropy (8bit): | 7.9984737133866775 |
| Encrypted: | true |
| SSDEEP: | 12288:6ObL9vyBFD5bYydsh4KkHaQTlmXIush4fv/h5uM:JNvuD5bW4KgaQled75L |
| MD5: | 60AAF7C351820530EBAFE92884D98B02 |
| SHA1: | 7823D9AC00CFFAA2DE69C5C22F39A36CDED9E2F1 |
| SHA-256: | 5F7CE8DC49F295DE6B69E48C9EDA87A12D6B9258BC4610D35AB1C56EF5D2DBB9 |
| SHA-512: | E521AA5FD7F174112917F396DE148685A65578658C8CFA6C3995AC7DA5A8DE95F934FF8722F5579F0EF5AFC33BCBA510D4D1B7A71469E1BE3CFFB7770EE4D1A2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 17674 |
| Entropy (8bit): | 7.3701765285730225 |
| Encrypted: | false |
| SSDEEP: | 384:nn929MwO/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:nuO/ChgZ45VatJVEV3GPkjF |
| MD5: | B5728C695962B31957CB8E09D9CDD061 |
| SHA1: | D4108AD918489E48D1BDA450D1861EE7EB290C98 |
| SHA-256: | 6E2C4398E8D8D09CC37AE4823C3E6B8F6E1FC216052F75CD44E101846A0213B5 |
| SHA-512: | 24D64E167B3C7AEC66D00CEFF4386127457C568D5F9583885EF5A100EDB0A7A93C4663A527FAE6EC9E9AC963CA386CF3A749FB177B83C4C645D74992C5E903E5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 61440 |
| Entropy (8bit): | 7.997224857463413 |
| Encrypted: | true |
| SSDEEP: | 1536:EWFAdDWiLLwMZBN5OJRAvXkRWxdZ5ylgm622EetDnnhAFgq:x8WUdGXA0WDZ56gm6lFXM |
| MD5: | D36FF6C3045D5BE066169EC34EBAAE58 |
| SHA1: | 7F0A7F0BD99704C462B71734E678D6B399DF36D9 |
| SHA-256: | D6700D0A7038DD2EDF9B9A3FBC0CC38C5087437DFD04D0F0CE6FE143266B0405 |
| SHA-512: | 4EB9AE045424ED59B77B668B65A4513222ECB39F7CAD4613FCFE47856A0E1803A2660251EBCD1BD7AF285F5A7396DF25E63410B96F46849C2DC068741443E41C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 147456 |
| Entropy (8bit): | 6.587507141686446 |
| Encrypted: | false |
| SSDEEP: | 3072:Kt8T6pUkBJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTuV:K6AUkB0CThp6vmVnjphfhnvO5bLezWWV |
| MD5: | F7CFF4F7EFA6DFCCED4D9C29F8C6A6C4 |
| SHA1: | 0D5354BE402609C51B1B881BC1475AF960D77CDC |
| SHA-256: | 45C3539C76DE5EC31886CA86F1E0AADE4DB3AFBF288BB22C748E6A191A89E24D |
| SHA-512: | 92E84AF4B6F3B19D418B2381D5E3153CF41DB7D24C264D559CF70CEADA6D5EC666CB7D91D87B35FA48512813A51A93115A7F016F2597483487AFE8F7E0E6B97D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 90112 |
| Entropy (8bit): | 5.144128202497777 |
| Encrypted: | false |
| SSDEEP: | 768:Qx/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVv:QdKaj6iTcPAsAhxu |
| MD5: | C42DC5A45758012BB57A8ECBB2564D9A |
| SHA1: | 64CF4263EBC7746EA6D713828B3B6EA489DA22B8 |
| SHA-256: | B90D2DEBE61348F4DE8E929C93DDEC0F55DE7F21AC65F29AE187AF713D3154AB |
| SHA-512: | BDE793936B99A632B812CF3CF98BB0CD59E08CAEBD8C9B05DEF474961196EC0499EC6FA13E8A0315514BEDF8D2FCF1780A10FFC2FE4A15DAF83A8D0824ECD93D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 148480 |
| Entropy (8bit): | 6.438712984934005 |
| Encrypted: | false |
| SSDEEP: | 3072:hZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjP:hK5vPeDkjGgQaE/loUDtf0aP |
| MD5: | A4FBC9306B3447DA4E9F2E5B75298260 |
| SHA1: | 2A4F032AE1AD8B942ADFDA1FFA51EFA3DA40745D |
| SHA-256: | E8D1DDDCBE9CF5DB528855711FDA487B6E65DD93915EB04199762BD099CB24AB |
| SHA-512: | 42068A231D09100626F40629680EA9F04B600D34DFA751C55210A514C9E5B54DDB2E4154E583EB82416D57EEDA9CE030B32C41760226784149E653FD08BC25BA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1876 |
| Entropy (8bit): | 4.827724667265049 |
| Encrypted: | false |
| SSDEEP: | 24:9yGS9PvCA433C+sCNC1skNkvQfhSHQU2L55e1yb/uBx39lt6DhBhhB4+JvU1SX6O:u9n9mTsCNvEQH5O5U1nPKrhBzM1FO |
| MD5: | D8E3C27DF10226578FFE5E1F021E387F |
| SHA1: | 3CB59B6554D05A008327FE25202B5405548F1595 |
| SHA-256: | F41C7A2E87C0C5BE1F2AFBC637017AE27BD96F22ACFDA79BDE149D63F4BCBEBA |
| SHA-512: | C2C856A41630B6480760A75F39C67DADA001FC713B0F05B266964C6CA7A2456F9B9D17DDDB33081E5EBEA7CF1AB6A32BDF4FCC481EDB1249678EDCF604FEA502 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\expand.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 13891 |
| Entropy (8bit): | 5.114310451313887 |
| Encrypted: | false |
| SSDEEP: | 192:Mb6mjua6fGGcoO+EeyH2Dgj9CQ91oVA9sz/qGshLlAM97wAJMOuXn/oE:Mz6fBA2DgroV7iL5977iTX/B |
| MD5: | 5550C364259312F7447A4D9B9836E3B9 |
| SHA1: | 4418F35EC955ECB1FA4E5D98B2CF2DF7EFB97E3A |
| SHA-256: | FB9E1010E6EC66A192B3F991C6CB89CF0207E4909E8A0958155E46C5BBF757DD |
| SHA-512: | 259BB9C8D5D37DC63DA0870952D7C62C04A38DE0EE7B4983BDD1E099736C839033F96C51FF325FE335D2FADDAE25C660FA2C5CE1F3151520E190F00A2F08912E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\expand.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 170 |
| Entropy (8bit): | 4.705628972220619 |
| Encrypted: | false |
| SSDEEP: | 3:RGXKRjN3MZ9aSLKLbzXDD9jmKXVM8/FAJoDYTzMX2aHEdoIeUualFHg2kbow:zx3MmSLQHtBXVNsTm2aYoIeURRs7 |
| MD5: | 6704C393B77FFF4001981A4998F639B4 |
| SHA1: | F150523BC50CCE8B3894804FD42798DA65AF765F |
| SHA-256: | 6D6780CFC8C582379D6C17C389F6827D890AEE7CFFC26A04DEE3D854A5B04175 |
| SHA-512: | CF64BE97A47210C0132B843B5294940552CB5347F6C4657AFD18D2893CA5B7BEECA758B21F09E3D3E274C931047C0701EE9948C023DFBCDDE82F9AA536EAD19D |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.481349410467826 |
| TrID: |
|
| File name: | lnst#U0430Il#U0435r86x.exe |
| File size: | 1'409'281 bytes |
| MD5: | 80366ac1383e6415790b9993205efb78 |
| SHA1: | 8a236d9587e844df67b3ed756d9e5c8753843281 |
| SHA256: | ce2d57e8cb34eff0c7d2a11895626e216b4ee7075eaaad279faa82e6242dba9c |
| SHA512: | a5ce00a8e0d61529bfbf5d094a5d126ef630d17196e031bb7644f2a7533e15e1297514abf9935cc188efd6ffae8845aa3cd51ce047c0d7dab2096a8969b0d4a5 |
| SSDEEP: | 24576:oJQ9Wutnybrv0kb8qRnoFDvDc5bO4KJaQlAleUNrQxqO:u0tnybruynQ/cWJ1EXryqO |
| TLSH: | 05652342FF505232E3A41E360DB7B7B28FA576212B22CF1F9208A9C4F8536561F517E9 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8..... |
 | |
| Icon Hash: | 0038e066a5dc6c80 |
| Entrypoint: | 0x4038af |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | be41bf7b8cc010b614bd36bbca606973 |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+18h], ebp |
| mov dword ptr [esp+10h], 0040A268h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [00409030h] |
| push 00008001h |
| call dword ptr [004090B4h] |
| push ebp |
| call dword ptr [004092C0h] |
| push 00000008h |
| mov dword ptr [0047EB98h], eax |
| call 00007F5E1D46CD8Bh |
| push ebp |
| push 000002B4h |
| mov dword ptr [0047EAB0h], eax |
| lea eax, dword ptr [esp+38h] |
| push eax |
| push ebp |
| push 0040A264h |
| call dword ptr [00409184h] |
| push 0040A24Ch |
| push 00476AA0h |
| call 00007F5E1D46CA6Dh |
| call dword ptr [004090B0h] |
| push eax |
| mov edi, 004CF0A0h |
| push edi |
| call 00007F5E1D46CA5Bh |
| push ebp |
| call dword ptr [00409134h] |
| cmp word ptr [004CF0A0h], 0022h |
| mov dword ptr [0047EAB8h], eax |
| mov eax, edi |
| jne 00007F5E1D46A35Ah |
| push 00000022h |
| pop esi |
| mov eax, 004CF0A2h |
| push esi |
| push eax |
| call 00007F5E1D46C731h |
| push eax |
| call dword ptr [00409260h] |
| mov esi, eax |
| mov dword ptr [esp+1Ch], esi |
| jmp 00007F5E1D46A3E3h |
| push 00000020h |
| pop ebx |
| cmp ax, bx |
| jne 00007F5E1D46A35Ah |
| add esi, 02h |
| cmp word ptr [esi], bx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xac40 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x100000 | 0x59bf0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x86000 | 0x994 | .ndata |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x9000 | 0x2d0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x728c | 0x7400 | 419d4e1be1ac35a5db9c47f553b27cea | False | 0.6566540948275862 | data | 6.499708590628113 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x9000 | 0x2b6e | 0x2c00 | cca1ca3fbf99570f6de9b43ce767f368 | False | 0.3678977272727273 | data | 4.497932535153822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xc000 | 0x72b9c | 0x200 | 77f0839f8ebea31040e462523e1c770e | False | 0.279296875 | data | 1.8049406284608531 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x7f000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x100000 | 0x59bf0 | 0x59c00 | 214e5442d762ce1afd88ea881311b3ff | False | 0.4754689676183844 | data | 4.996424375837533 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x15a000 | 0xfd6 | 0x1000 | 620f0b67a91f7f74151bc5be745b7110 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x1001f0 | 0x44028 | Device independent bitmap graphic, 256 x 512 x 32, image size 278528 | English | United States | 0.46352057666350766 |
| RT_ICON | 0x144218 | 0x11028 | Device independent bitmap graphic, 128 x 256 x 32, image size 69632 | English | United States | 0.5068033069238719 |
| RT_ICON | 0x155240 | 0x4428 | Device independent bitmap graphic, 64 x 128 x 32, image size 17408 | English | United States | 0.5249885373681797 |
| RT_DIALOG | 0x159668 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x159768 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x159888 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x1598e8 | 0x30 | data | English | United States | 0.8541666666666666 |
| RT_MANIFEST | 0x159918 | 0x2d6 | XML 1.0 document, ASCII text, with very long lines (726), with no line terminators | English | United States | 0.5647382920110193 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
| USER32.dll | GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-16T14:31:56.565055+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49737 | 149.154.167.99 | 443 | TCP |
| 2025-02-16T14:31:57.366183+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:31:57.837448+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:31:57.837448+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:31:58.312583+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49739 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:31:58.813045+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49739 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:31:59.571736+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49740 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:00.934348+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49741 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:01.695144+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49741 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:02.235872+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49742 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:03.542781+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49743 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:04.869173+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49744 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:06.981568+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49745 | 188.114.97.3 | 443 | TCP |
| 2025-02-16T14:32:07.428898+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49745 | 188.114.97.3 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 16, 2025 14:31:55.939716101 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:55.939762115 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:55.939879894 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:55.942728996 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:55.942744970 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.564945936 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.565054893 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.569178104 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.569185972 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.569497108 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.611774921 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.635617018 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.683329105 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.865761042 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.865830898 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.865850925 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.865889072 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.865997076 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.865997076 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.866015911 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.866036892 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.866061926 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.866103888 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.868664980 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.868678093 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.868694067 CET | 49737 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 16, 2025 14:31:56.868699074 CET | 443 | 49737 | 149.154.167.99 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.884351015 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:56.884377003 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.884447098 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:56.884835005 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:56.884848118 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.366077900 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.366183043 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.367490053 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.367501020 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.367819071 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.368911028 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.368932009 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.369020939 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.837423086 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.837650061 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.837853909 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.838179111 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.838232994 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.838263988 CET | 49738 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.838279009 CET | 443 | 49738 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.841430902 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.841473103 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:57.841547966 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.841924906 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:57.841933966 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.312478065 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.312582970 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.314133883 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.314141989 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.314459085 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.315536976 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.315557003 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.315593958 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813075066 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813297987 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813414097 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813446045 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.813468933 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813591957 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813694000 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813783884 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.813783884 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.813790083 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813831091 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813977003 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.813998938 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.814019918 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.814074993 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.814085960 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.817883968 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.818074942 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.818094015 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.861767054 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.902264118 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.902467012 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.902554989 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.902718067 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.902739048 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.902776003 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.903137922 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.903211117 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.903224945 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:58.903249025 CET | 49739 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:58.903253078 CET | 443 | 49739 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:59.094619036 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:59.094707012 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:59.094800949 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:59.095191002 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:59.095221996 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:59.571356058 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:59.571736097 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:59.572889090 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:59.572942972 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:59.573476076 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:59.574676037 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:59.574676037 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:59.574883938 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:31:59.575105906 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:31:59.575164080 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.445049047 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.445276976 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.445425987 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.445518017 CET | 49740 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.445555925 CET | 443 | 49740 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.464694023 CET | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.464790106 CET | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.464895964 CET | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.465146065 CET | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.465173006 CET | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.934230089 CET | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.934348106 CET | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.935411930 CET | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.935442924 CET | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.936017036 CET | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:00.937071085 CET | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.937202930 CET | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:00.937241077 CET | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:01.695135117 CET | 443 | 49741 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:01.695360899 CET | 49741 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:01.768286943 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:01.768377066 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:01.768493891 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:01.775654078 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:01.775686979 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:02.235574961 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:02.235872030 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:02.237018108 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:02.237046957 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:02.237384081 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:02.238465071 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:02.238599062 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:02.238734961 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:02.238866091 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:02.238882065 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:02.961563110 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:02.961786985 CET | 443 | 49742 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:02.961848974 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:02.961848974 CET | 49742 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:03.050911903 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:03.050955057 CET | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:03.051024914 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:03.051604986 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:03.051624060 CET | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:03.542646885 CET | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:03.542781115 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:03.543858051 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:03.543869019 CET | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:03.544363022 CET | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:03.547780991 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:03.547858953 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:03.547919035 CET | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.045418978 CET | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.045550108 CET | 443 | 49743 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.045686960 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.045686960 CET | 49743 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.390834093 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.390863895 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.390945911 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.391380072 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.391388893 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.869076014 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.869173050 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.872189999 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.872196913 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.872585058 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.875426054 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.876822948 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.876858950 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.877013922 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.877048969 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.877172947 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.877207041 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.877353907 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.877378941 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.877547979 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.877574921 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.877734900 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.877767086 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.877774954 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.877911091 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.877939939 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894048929 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.894231081 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894275904 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894293070 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894296885 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.894341946 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.894365072 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894432068 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.894475937 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894506931 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894531965 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.894548893 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894572973 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:04.894609928 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:04.894659042 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:06.484443903 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:06.484693050 CET | 443 | 49744 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:06.484765053 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.486819029 CET | 49744 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.488574982 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.488677979 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:06.488771915 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.489141941 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.489181995 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:06.981487989 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:06.981568098 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.987906933 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.987926960 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:06.988445044 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:06.989727020 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.989749908 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:06.989815950 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:07.428922892 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:07.429152012 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:07.429214954 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:07.429305077 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:07.429325104 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Feb 16, 2025 14:32:07.429342031 CET | 49745 | 443 | 192.168.2.4 | 188.114.97.3 |
| Feb 16, 2025 14:32:07.429348946 CET | 443 | 49745 | 188.114.97.3 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 16, 2025 14:31:22.928658962 CET | 60553 | 53 | 192.168.2.4 | 1.1.1.1 |
| Feb 16, 2025 14:31:22.938862085 CET | 53 | 60553 | 1.1.1.1 | 192.168.2.4 |
| Feb 16, 2025 14:31:55.641562939 CET | 52083 | 53 | 192.168.2.4 | 1.1.1.1 |
| Feb 16, 2025 14:31:55.933243990 CET | 53 | 52083 | 1.1.1.1 | 192.168.2.4 |
| Feb 16, 2025 14:31:56.871567965 CET | 62144 | 53 | 192.168.2.4 | 1.1.1.1 |
| Feb 16, 2025 14:31:56.883577108 CET | 53 | 62144 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Feb 16, 2025 14:31:22.928658962 CET | 192.168.2.4 | 1.1.1.1 | 0x2bb8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Feb 16, 2025 14:31:55.641562939 CET | 192.168.2.4 | 1.1.1.1 | 0x4a05 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Feb 16, 2025 14:31:56.871567965 CET | 192.168.2.4 | 1.1.1.1 | 0xac4 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Feb 16, 2025 14:31:22.938862085 CET | 1.1.1.1 | 192.168.2.4 | 0x2bb8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Feb 16, 2025 14:31:55.933243990 CET | 1.1.1.1 | 192.168.2.4 | 0x4a05 | No error (0) | 149.154.167.99 | A (IP address) | IN (0x0001) | false | ||
| Feb 16, 2025 14:31:56.883577108 CET | 1.1.1.1 | 192.168.2.4 | 0xac4 | No error (0) | 188.114.97.3 | A (IP address) | IN (0x0001) | false | ||
| Feb 16, 2025 14:31:56.883577108 CET | 1.1.1.1 | 192.168.2.4 | 0xac4 | No error (0) | 188.114.96.3 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49737 | 149.154.167.99 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:31:56 UTC | 192 | OUT | |
| 2025-02-16 13:31:56 UTC | 511 | IN | |
| 2025-02-16 13:31:56 UTC | 12400 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49738 | 188.114.97.3 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:31:57 UTC | 266 | OUT | |
| 2025-02-16 13:31:57 UTC | 8 | OUT | |
| 2025-02-16 13:31:57 UTC | 1034 | IN | |
| 2025-02-16 13:31:57 UTC | 7 | IN | |
| 2025-02-16 13:31:57 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49739 | 188.114.97.3 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:31:58 UTC | 267 | OUT | |
| 2025-02-16 13:31:58 UTC | 55 | OUT | |
| 2025-02-16 13:31:58 UTC | 1040 | IN | |
| 2025-02-16 13:31:58 UTC | 329 | IN | |
| 2025-02-16 13:31:58 UTC | 1369 | IN | |
| 2025-02-16 13:31:58 UTC | 1369 | IN | |
| 2025-02-16 13:31:58 UTC | 184 | IN | |
| 2025-02-16 13:31:58 UTC | 1369 | IN | |
| 2025-02-16 13:31:58 UTC | 1369 | IN | |
| 2025-02-16 13:31:58 UTC | 1369 | IN | |
| 2025-02-16 13:31:58 UTC | 1369 | IN | |
| 2025-02-16 13:31:58 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49740 | 188.114.97.3 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:31:59 UTC | 284 | OUT | |
| 2025-02-16 13:31:59 UTC | 15331 | OUT | |
| 2025-02-16 13:31:59 UTC | 2835 | OUT | |
| 2025-02-16 13:32:00 UTC | 1035 | IN | |
| 2025-02-16 13:32:00 UTC | 20 | IN | |
| 2025-02-16 13:32:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49741 | 188.114.97.3 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:32:00 UTC | 275 | OUT | |
| 2025-02-16 13:32:00 UTC | 8739 | OUT | |
| 2025-02-16 13:32:01 UTC | 1036 | IN | |
| 2025-02-16 13:32:01 UTC | 20 | IN | |
| 2025-02-16 13:32:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49742 | 188.114.97.3 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:32:02 UTC | 280 | OUT | |
| 2025-02-16 13:32:02 UTC | 15331 | OUT | |
| 2025-02-16 13:32:02 UTC | 5085 | OUT | |
| 2025-02-16 13:32:02 UTC | 1042 | IN | |
| 2025-02-16 13:32:02 UTC | 20 | IN | |
| 2025-02-16 13:32:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49743 | 188.114.97.3 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:32:03 UTC | 274 | OUT | |
| 2025-02-16 13:32:03 UTC | 2327 | OUT | |
| 2025-02-16 13:32:04 UTC | 1037 | IN | |
| 2025-02-16 13:32:04 UTC | 20 | IN | |
| 2025-02-16 13:32:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49744 | 188.114.97.3 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:32:04 UTC | 287 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:04 UTC | 15331 | OUT | |
| 2025-02-16 13:32:06 UTC | 1044 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49745 | 188.114.97.3 | 443 | 6484 | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-16 13:32:06 UTC | 267 | OUT | |
| 2025-02-16 13:32:06 UTC | 89 | OUT | |
| 2025-02-16 13:32:07 UTC | 1046 | IN | |
| 2025-02-16 13:32:07 UTC | 54 | IN | |
| 2025-02-16 13:32:07 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 08:31:18 |
| Start date: | 16/02/2025 |
| Path: | C:\Users\user\Desktop\lnst#U0430Il#U0435r86x.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'409'281 bytes |
| MD5 hash: | 80366AC1383E6415790B9993205EFB78 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 08:31:18 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 08:31:18 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 08:31:19 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\expand.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x310000 |
| File size: | 53'248 bytes |
| MD5 hash: | 544B0DBFF3F393BCE8BB9D815F532D51 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 08:31:19 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x970000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 08:31:19 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf20000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 08:31:20 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x970000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 08:31:20 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf20000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 08:31:21 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 08:31:21 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\extrac32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 29'184 bytes |
| MD5 hash: | 9472AAB6390E4F1431BAA912FCFF9707 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 08:31:21 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf20000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 08:31:21 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 08:31:21 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x240000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 08:31:21 |
| Start date: | 16/02/2025 |
| Path: | C:\Users\user\AppData\Local\Temp\670499\Considering.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xfe0000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 08:31:22 |
| Start date: | 16/02/2025 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x500000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 17.8% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 21% |
| Total number of Nodes: | 1482 |
| Total number of Limit Nodes: | 27 |