Edit tour
Windows
Analysis Report
keynote.exe
Overview
General Information
| Sample name: | keynote.exe |
| Analysis ID: | 1617413 |
| MD5: | c917b7129ef904754323b0daeb255461 |
| SHA1: | 3b81ee4909706e9a4c8e52521dd26cb65c42d368 |
| SHA256: | a1ef7879bf82edfb76625282ebcc27c24be86b370bcf9fe78064848c47db0cf3 |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
keynote.exe (PID: 7324 cmdline: "C:\Users\ user\Deskt op\keynote .exe" MD5: C917B7129EF904754323B0DAEB255461)
- cleanup
{"C2 url": ["bzondingmoments.tech", "nestlecompany.world", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "PW8ZQN--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-17T22:15:37.726568+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 149.154.167.99 | 443 | TCP |
| 2025-02-17T22:15:38.578633+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:15:50.803538+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:15:52.446712+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:01.227746+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49741 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:03.563691+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49742 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:05.906066+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49743 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:07.818289+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49744 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:10.510517+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49745 | 104.21.17.68 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-17T22:15:50.313083+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:15:51.355392+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49733 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:11.359519+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49745 | 104.21.17.68 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-17T22:15:50.313083+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49732 | 104.21.17.68 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-17T22:16:00.660795+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49735 | 104.21.17.68 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_0067CF6D | |
| Source: | Code function: | 0_3_0067CF6D | |
| Source: | Code function: | 0_3_0067CF55 | |
| Source: | Code function: | 0_3_0067CF55 | |
| Source: | Code function: | 0_3_0067CF51 | |
| Source: | Code function: | 0_3_0067CF51 | |
| Source: | Code function: | 0_3_00683D10 | |
| Source: | Code function: | 0_3_00683D10 | |
| Source: | Code function: | 0_3_00683D10 | |
| Source: | Code function: | 0_3_00683D10 | |
| Source: | Code function: | 0_3_00683D10 | |
| Source: | Code function: | 0_3_0067A790 | |
| Source: | Code function: | 0_3_0067A790 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_006830B1 | |
| Source: | Code function: | 0_3_0067CF6D | |
| Source: | Code function: | 0_3_0067CF6D | |
| Source: | Code function: | 0_3_0067CF55 | |
| Source: | Code function: | 0_3_0067CF55 | |
| Source: | Code function: | 0_3_0067CF51 | |
| Source: | Code function: | 0_3_0067CF51 | |
| Source: | Code function: | 0_3_00683D10 | |
| Source: | Code function: | 0_3_00683D10 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 Query Registry | Remote Services | 4 Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 221 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Software Packing | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 8% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bzondingmoments.tech | 104.21.17.68 | true | true | unknown | |
| t.me | 149.154.167.99 | true | false | high | |
| qodcsxcvbdbtcih.itrw | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.17.68 | bzondingmoments.tech | United States | 13335 | CLOUDFLARENETUS | true | |
| 149.154.167.99 | t.me | United Kingdom | 62041 | TELEGRAMRU | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1617413 |
| Start date and time: | 2025-02-17 22:14:41 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 15s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | keynote.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/11@3/2 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target keynote.exe, PID 7324 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 16:15:37 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 149.154.167.99 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Cinoshi Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| t.me | Get hash | malicious | Vidar | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | CAPTCHA Scam ClickFix | Browse |
| |
| Get hash | malicious | CAPTCHA Scam ClickFix | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 106496 |
| Entropy (8bit): | 1.1358696453229276 |
| Encrypted: | false |
| SSDEEP: | 192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544 |
| MD5: | 28591AA4E12D1C4FC761BE7C0A468622 |
| SHA1: | BC4968A84C19377D05A8BB3F208FBFAC49F4820B |
| SHA-256: | 51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9 |
| SHA-512: | 5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 40960 |
| Entropy (8bit): | 0.8553638852307782 |
| Encrypted: | false |
| SSDEEP: | 48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil |
| MD5: | 28222628A3465C5F0D4B28F70F97F482 |
| SHA1: | 1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14 |
| SHA-256: | 93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4 |
| SHA-512: | C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 98304 |
| Entropy (8bit): | 0.08235737944063153 |
| Encrypted: | false |
| SSDEEP: | 12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO |
| MD5: | 369B6DD66F1CAD49D0952C40FEB9AD41 |
| SHA1: | D05B2DE29433FB113EC4C558FF33087ED7481DD4 |
| SHA-256: | 14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D |
| SHA-512: | 771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 28672 |
| Entropy (8bit): | 2.5793180405395284 |
| Encrypted: | false |
| SSDEEP: | 96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz |
| MD5: | 41EA9A4112F057AE6BA17E2838AEAC26 |
| SHA1: | F2B389103BFD1A1A050C4857A995B09FEAFE8903 |
| SHA-256: | CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB |
| SHA-512: | 29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 229376 |
| Entropy (8bit): | 0.64343788909108 |
| Encrypted: | false |
| SSDEEP: | 384:A1zkVmvQhyn+Zoz67dNlIMMz333JGN8j/LKXYj5kuv:AUUMXCyIr |
| MD5: | B6787B79D64948AAC1D6359AC18AB268 |
| SHA1: | 0831EB15AB2B330BE95975A24F8945ED284D0BA4 |
| SHA-256: | 9D6FD3B8AB8AA7934C75EDE36CEB9CF4DDAD06C5031E89872B4E814D7DB674E2 |
| SHA-512: | 9296866380EF966F1CB6E69B7B84D1A86CD5AE8D9A7332C57543875FAA4FC7F1387A4CF83B7D662E4BAB0381E4AFC9CB9999075EBB497C6756DF770454F3530E |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 49152 |
| Entropy (8bit): | 0.8180424350137764 |
| Encrypted: | false |
| SSDEEP: | 96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG |
| MD5: | 349E6EB110E34A08924D92F6B334801D |
| SHA1: | BDFB289DAFF51890CC71697B6322AA4B35EC9169 |
| SHA-256: | C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A |
| SHA-512: | 2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5242880 |
| Entropy (8bit): | 0.037963276276857943 |
| Encrypted: | false |
| SSDEEP: | 192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ |
| MD5: | C0FDF21AE11A6D1FA1201D502614B622 |
| SHA1: | 11724034A1CC915B061316A96E79E9DA6A00ADE8 |
| SHA-256: | FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC |
| SHA-512: | A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 159744 |
| Entropy (8bit): | 0.7873599747470391 |
| Encrypted: | false |
| SSDEEP: | 96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v |
| MD5: | 6A6BAD38068B0F6F2CADC6464C4FE8F0 |
| SHA1: | 4E3B235898D8E900548613DDB6EA59CDA5EB4E68 |
| SHA-256: | 0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982 |
| SHA-512: | BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 40960 |
| Entropy (8bit): | 0.8553638852307782 |
| Encrypted: | false |
| SSDEEP: | 48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil |
| MD5: | 28222628A3465C5F0D4B28F70F97F482 |
| SHA1: | 1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14 |
| SHA-256: | 93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4 |
| SHA-512: | C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 294912 |
| Entropy (8bit): | 0.08436842005578409 |
| Encrypted: | false |
| SSDEEP: | 192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vIn:51zkVmvQhyn+Zoz67n |
| MD5: | 2CD2840E30F477F23438B7C9D031FC08 |
| SHA1: | 03D5410A814B298B068D62ACDF493B2A49370518 |
| SHA-256: | 49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D |
| SHA-512: | DCDD722C3A8AD79265616ADDDCA208E068E4ECEBE8820E4ED16B1D1E07FD52EB3A59A22988450071CFDA50BBFF7CB005ADF05A843DA38421F28572F3433C0F19 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\keynote.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 126976 |
| Entropy (8bit): | 0.47147045728725767 |
| Encrypted: | false |
| SSDEEP: | 96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u |
| MD5: | A2D1F4CF66465F9F0CAC61C4A95C7EDE |
| SHA1: | BA6A845E247B221AAEC96C4213E1FD3744B10A27 |
| SHA-256: | B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE |
| SHA-512: | C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.0404066992994965 |
| TrID: |
|
| File name: | keynote.exe |
| File size: | 6'303'232 bytes |
| MD5: | c917b7129ef904754323b0daeb255461 |
| SHA1: | 3b81ee4909706e9a4c8e52521dd26cb65c42d368 |
| SHA256: | a1ef7879bf82edfb76625282ebcc27c24be86b370bcf9fe78064848c47db0cf3 |
| SHA512: | 0e4a4c265b5f5bb9624c4467723d58bea55c61e76c129110ebc57f171c412260e39f733e10b5d52e77fa47516040aef8c185d9a7850970b5806e02f7d6910bc1 |
| SSDEEP: | 24576:SQgVxajh8GmU+8EpbUAEp4Wfgc1UtDP6zI8Fa6p5KjB0ZqSB3ctmwKMleKeO25NF:nj9WH6LFapB0QoxO25sR |
| TLSH: | B2567161D537680F9ACA3A7E7671378CB43758A70BC198799E4F1A6DACE013C8AC4743 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H...)...)...).......)...Q...)...)...)..7....)..7.H..)...) ..)..7....)..Rich.)..........PE..L......g...............*.._........ |
 | |
| Icon Hash: | 8b939393b39de10b |
| Entrypoint: | 0x401200 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67B386A3 [Mon Feb 17 18:57:39 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 4383199e38059ee0c77b99ee131e5312 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 28h |
| lea eax, dword ptr [ebp-28h] |
| push eax |
| call dword ptr [009FB004h] |
| mov ecx, dword ptr [ebp-14h] |
| mov dword ptr [ebp-04h], ecx |
| cmp dword ptr [ebp-04h], 02h |
| jnc 00007F47A91FBAE9h |
| mov eax, 00000001h |
| jmp 00007F47A91FBAF0h |
| call 00007F47A920EF3Dh |
| push 00000001h |
| call dword ptr [009FB008h] |
| nop |
| mov esp, ebp |
| pop ebp |
| retn 0010h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr fs:[00000030h] |
| mov eax, dword ptr [eax+0Ch] |
| mov eax, dword ptr [eax+0Ch] |
| mov eax, dword ptr [eax] |
| mov eax, dword ptr [eax] |
| mov eax, dword ptr [eax+18h] |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| push ecx |
| mov dword ptr [ebp-04h], 00000000h |
| jmp 00007F47A91FBAEBh |
| mov eax, dword ptr [ebp-04h] |
| add eax, 01h |
| mov dword ptr [ebp-04h], eax |
| mov ecx, dword ptr [ebp+08h] |
| add ecx, dword ptr [ebp-04h] |
| movsx edx, byte ptr [ecx] |
| test edx, edx |
| je 00007F47A91FBAE4h |
| jmp 00007F47A91FBACAh |
| mov eax, dword ptr [ebp-04h] |
| mov esp, ebp |
| pop ebp |
| retn 0004h |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| sub esp, 1Ch |
| cmp dword ptr [ebp+08h], 00000000h |
| jne 00007F47A91FBAE9h |
| xor eax, eax |
| jmp 00007F47A91FBC68h |
| mov eax, dword ptr [ebp+08h] |
| push eax |
| call 00007F47A91FBA99h |
| mov dword ptr [ebp-0Ch], eax |
| cmp dword ptr [ebp-0Ch], 00000000h |
| jne 00007F47A91FBAE9h |
| xor eax, eax |
| jmp 00007F47A91FBC4Fh |
| mov dword ptr [ebp-04h], 00000000h |
| mov dword ptr [ebp-18h], 00000000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5fb214 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5fe000 | 0x122a | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x600000 | 0x772c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x5fb014 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x5fb000 | 0x14 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5f97eb | 0x5f9800 | 30d9028b609dae4fcd027cd646ea118e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x5fb000 | 0x298 | 0x400 | 85f4433d4673775bccde48ff6e73e711 | False | 0.392578125 | data | 3.201946012710144 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x5fc000 | 0x1160 | 0x200 | e31613e7ebe7a927ba852f2375a19cc0 | False | 0.044921875 | data | 0.12227588125913882 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x5fe000 | 0x122a | 0x1400 | 2063a5d1e72ea20c618dbbb511ff3f65 | False | 0.3380859375 | data | 4.874945698344955 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x600000 | 0x772c | 0x7800 | 7f71f5a23661985ab5ea7307cda3752d | False | 0.6435221354166667 | data | 6.110412084686699 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x5fe1c0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.33064516129032256 |
| RT_ICON | 0x5fe4a8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.3682795698924731 | ||
| RT_GROUP_ICON | 0x5fe790 | 0x14 | data | English | United States | 1.2 |
| RT_GROUP_ICON | 0x5fe7a4 | 0x14 | data | 1.25 | ||
| RT_VERSION | 0x5fe7b8 | 0x30c | data | English | United States | 0.4987179487179487 |
| RT_MANIFEST | 0x5feac4 | 0x766 | XML 1.0 document, ASCII text, with CRLF, LF line terminators | English | United States | 0.3907074973600845 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GlobalFree, GetSystemInfo, ExitProcess, GlobalAlloc |
| Description | Data |
|---|---|
| FileDescription | KeyNote NF 2.0.4.1 (x64) |
| FileVersion | 2.0.4.1 |
| LegalCopyright | (c) Daniel Prado 2007-25 (c) Marek Jedlinski 2000-05 |
| LegalTrademarks | Free software, MPL 2.0 |
| OriginalFilename | keynote.exe |
| ProductName | Task Manager DeLuxe |
| ProductVersion | 2.0.4.1 |
| Translation | 0x0409 0x04e4 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-02-17T22:15:37.726568+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 149.154.167.99 | 443 | TCP |
| 2025-02-17T22:15:38.578633+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:15:50.313083+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49732 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:15:50.313083+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49732 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:15:50.803538+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:15:51.355392+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49733 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:15:52.446712+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:00.660795+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49735 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:01.227746+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49741 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:03.563691+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49742 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:05.906066+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49743 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:07.818289+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49744 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:10.510517+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49745 | 104.21.17.68 | 443 | TCP |
| 2025-02-17T22:16:11.359519+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49745 | 104.21.17.68 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 17, 2025 22:15:37.105415106 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:37.105446100 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:37.105530024 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:37.108515978 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:37.108530998 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:37.726409912 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:37.726567984 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:37.729923964 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:37.729943037 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:37.730407953 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:37.780035019 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:37.791469097 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:37.835329056 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.004730940 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.004757881 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.004767895 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.004851103 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.004873037 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:38.004887104 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.004960060 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:38.004960060 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:38.013544083 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:38.013544083 CET | 49731 | 443 | 192.168.2.4 | 149.154.167.99 |
| Feb 17, 2025 22:15:38.013555050 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.013561964 CET | 443 | 49731 | 149.154.167.99 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.083055973 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:38.083075047 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.083158970 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:38.083619118 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:38.083632946 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.578536034 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.578633070 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:38.593632936 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:38.593648911 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.594300985 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.603530884 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:38.603530884 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:38.603620052 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.313090086 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.313220978 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.313308954 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.343085051 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.343085051 CET | 49732 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.343111038 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.343125105 CET | 443 | 49732 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.345396042 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.345432997 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.345577955 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.346292973 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.346307993 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.803472042 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.803538084 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.805746078 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.805768967 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.806111097 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:50.807437897 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.807437897 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:50.807514906 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.355439901 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.355572939 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.355608940 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.355660915 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.355679035 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.355711937 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.355736017 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.355854034 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.355906010 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.355987072 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.356004953 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.356064081 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.356074095 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.359719038 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.359751940 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.359888077 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.359901905 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.359918118 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.359951973 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.405078888 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.441535950 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.441633940 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.441728115 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.441740036 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.441813946 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.441883087 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.442018986 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.442038059 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.442050934 CET | 49733 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.442068100 CET | 443 | 49733 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.971420050 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.971462965 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:51.971548080 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.971936941 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:51.971957922 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:52.446636915 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:52.446712017 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:52.448195934 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:52.448209047 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:52.448451996 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:52.449717999 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:52.449798107 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:52.449826956 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:15:52.449982882 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:15:52.449990034 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:00.660777092 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:00.660851002 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:00.660923958 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:00.662741899 CET | 49735 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:00.662754059 CET | 443 | 49735 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:00.760565996 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:00.760622978 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:00.760716915 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:00.761023045 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:00.761044979 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:01.227504015 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:01.227746010 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:01.232764959 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:01.232777119 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:01.233017921 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:01.242633104 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:01.242703915 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:01.242743015 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:01.899039984 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:01.899161100 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:01.899220943 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:01.899250031 CET | 49741 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:01.899267912 CET | 443 | 49741 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:02.650073051 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:02.650108099 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:02.650187969 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:02.650487900 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:02.650506973 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:03.563585043 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:03.563690901 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:03.565052986 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:03.565074921 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:03.565331936 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:03.566545963 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:03.566668034 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:03.566701889 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:03.566792011 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:03.566804886 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:04.812153101 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:04.812397003 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:04.812468052 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:04.813711882 CET | 49742 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:04.813731909 CET | 443 | 49742 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:05.448379993 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:05.448411942 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:05.448587894 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:05.448765039 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:05.448781967 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:05.905858040 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:05.906065941 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:05.907249928 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:05.907262087 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:05.907599926 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:05.908767939 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:05.908767939 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:05.908803940 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:06.797404051 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:06.797517061 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:06.797621965 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:06.797842979 CET | 49743 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:06.797858953 CET | 443 | 49743 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.345278978 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.345305920 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.345432997 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.345709085 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.345719099 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.818063021 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.818289042 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.819519043 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.819539070 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.820132971 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.821397066 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.822073936 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.822113991 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.822206020 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.822246075 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.822345972 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.822403908 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.822499990 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.822536945 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.822670937 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.822700024 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.822839975 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.822869062 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.822880983 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.822978973 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.823014021 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.841753960 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.841907024 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.841953993 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.841968060 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.841984987 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.842113972 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.842149973 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.842174053 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.842749119 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:07.842947960 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:07.842955112 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:09.970789909 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:09.971025944 CET | 443 | 49744 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:09.971097946 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:09.971097946 CET | 49744 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:10.023338079 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:10.023359060 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:10.023598909 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:10.023720980 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:10.023745060 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:10.510205984 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:10.510516882 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:10.511642933 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:10.511650085 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:10.511876106 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:10.513042927 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:10.513042927 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:10.513108015 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:11.359606028 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:11.359858036 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Feb 17, 2025 22:16:11.360033989 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:11.360033989 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:11.360421896 CET | 49745 | 443 | 192.168.2.4 | 104.21.17.68 |
| Feb 17, 2025 22:16:11.360435963 CET | 443 | 49745 | 104.21.17.68 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 17, 2025 22:15:37.094011068 CET | 60769 | 53 | 192.168.2.4 | 1.1.1.1 |
| Feb 17, 2025 22:15:37.100699902 CET | 53 | 60769 | 1.1.1.1 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.015898943 CET | 50498 | 53 | 192.168.2.4 | 1.1.1.1 |
| Feb 17, 2025 22:15:38.024532080 CET | 53 | 50498 | 1.1.1.1 | 192.168.2.4 |
| Feb 17, 2025 22:15:38.057872057 CET | 55943 | 53 | 192.168.2.4 | 1.1.1.1 |
| Feb 17, 2025 22:15:38.076103926 CET | 53 | 55943 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Feb 17, 2025 22:15:37.094011068 CET | 192.168.2.4 | 1.1.1.1 | 0xe737 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Feb 17, 2025 22:15:38.015898943 CET | 192.168.2.4 | 1.1.1.1 | 0x892c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Feb 17, 2025 22:15:38.057872057 CET | 192.168.2.4 | 1.1.1.1 | 0x66d9 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Feb 17, 2025 22:15:37.100699902 CET | 1.1.1.1 | 192.168.2.4 | 0xe737 | No error (0) | 149.154.167.99 | A (IP address) | IN (0x0001) | false | ||
| Feb 17, 2025 22:15:38.024532080 CET | 1.1.1.1 | 192.168.2.4 | 0x892c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Feb 17, 2025 22:15:38.076103926 CET | 1.1.1.1 | 192.168.2.4 | 0x66d9 | No error (0) | 104.21.17.68 | A (IP address) | IN (0x0001) | false | ||
| Feb 17, 2025 22:15:38.076103926 CET | 1.1.1.1 | 192.168.2.4 | 0x66d9 | No error (0) | 172.67.223.54 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49731 | 149.154.167.99 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:15:37 UTC | 193 | OUT | |
| 2025-02-17 21:15:38 UTC | 512 | IN | |
| 2025-02-17 21:15:38 UTC | 12419 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49732 | 104.21.17.68 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:15:38 UTC | 267 | OUT | |
| 2025-02-17 21:15:38 UTC | 8 | OUT | |
| 2025-02-17 21:15:50 UTC | 1046 | IN | |
| 2025-02-17 21:15:50 UTC | 7 | IN | |
| 2025-02-17 21:15:50 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49733 | 104.21.17.68 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:15:50 UTC | 268 | OUT | |
| 2025-02-17 21:15:50 UTC | 43 | OUT | |
| 2025-02-17 21:15:51 UTC | 1048 | IN | |
| 2025-02-17 21:15:51 UTC | 321 | IN | |
| 2025-02-17 21:15:51 UTC | 1369 | IN | |
| 2025-02-17 21:15:51 UTC | 1369 | IN | |
| 2025-02-17 21:15:51 UTC | 1369 | IN | |
| 2025-02-17 21:15:51 UTC | 1369 | IN | |
| 2025-02-17 21:15:51 UTC | 1369 | IN | |
| 2025-02-17 21:15:51 UTC | 1369 | IN | |
| 2025-02-17 21:15:51 UTC | 1369 | IN | |
| 2025-02-17 21:15:51 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49735 | 104.21.17.68 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:15:52 UTC | 277 | OUT | |
| 2025-02-17 21:15:52 UTC | 15331 | OUT | |
| 2025-02-17 21:15:52 UTC | 2775 | OUT | |
| 2025-02-17 21:16:00 UTC | 1046 | IN | |
| 2025-02-17 21:16:00 UTC | 20 | IN | |
| 2025-02-17 21:16:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49741 | 104.21.17.68 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:16:01 UTC | 279 | OUT | |
| 2025-02-17 21:16:01 UTC | 4920 | OUT | |
| 2025-02-17 21:16:01 UTC | 1044 | IN | |
| 2025-02-17 21:16:01 UTC | 20 | IN | |
| 2025-02-17 21:16:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49742 | 104.21.17.68 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:16:03 UTC | 287 | OUT | |
| 2025-02-17 21:16:03 UTC | 15331 | OUT | |
| 2025-02-17 21:16:03 UTC | 5109 | OUT | |
| 2025-02-17 21:16:04 UTC | 1045 | IN | |
| 2025-02-17 21:16:04 UTC | 20 | IN | |
| 2025-02-17 21:16:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49743 | 104.21.17.68 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:16:05 UTC | 283 | OUT | |
| 2025-02-17 21:16:05 UTC | 2567 | OUT | |
| 2025-02-17 21:16:06 UTC | 1045 | IN | |
| 2025-02-17 21:16:06 UTC | 20 | IN | |
| 2025-02-17 21:16:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49744 | 104.21.17.68 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:16:07 UTC | 281 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:07 UTC | 15331 | OUT | |
| 2025-02-17 21:16:09 UTC | 1056 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.4 | 49745 | 104.21.17.68 | 443 | 7324 | C:\Users\user\Desktop\keynote.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-17 21:16:10 UTC | 268 | OUT | |
| 2025-02-17 21:16:10 UTC | 77 | OUT | |
| 2025-02-17 21:16:11 UTC | 1042 | IN | |
| 2025-02-17 21:16:11 UTC | 54 | IN | |
| 2025-02-17 21:16:11 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 16:15:35 |
| Start date: | 17/02/2025 |
| Path: | C:\Users\user\Desktop\keynote.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 6'303'232 bytes |
| MD5 hash: | C917B7129EF904754323B0DAEB255461 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
⊘No disassembly