Edit tour
Windows
Analysis Report
External2.4.exe1.exe
Overview
General Information
| Sample name: | External2.4.exe1.exe |
| Analysis ID: | 1633711 |
| MD5: | 2827bd97bb778245fccff32ab3f8f69c |
| SHA1: | 77ed291391e5809bcdeec8a549fdeccf51e36ceb |
| SHA256: | 945837960320128c8b37dcabd74b1e754f2281b463d5a3e07c71052106d702bd |
| Tags: | exeuser-TornadoAV_dev |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
External2.4.exe1.exe (PID: 6920 cmdline: "C:\Users\ user\Deskt op\Externa l2.4.exe1. exe" MD5: 2827BD97BB778245FCCFF32AB3F8F69C) 
BitLockerToGo.exe (PID: 6508 cmdline: "C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 9 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 6 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-10T15:34:06.332051+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49749 | 149.154.167.99 | 443 | TCP |
| 2025-03-10T15:34:08.248576+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49752 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:10.013872+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49753 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:22.446407+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49755 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:25.448595+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49757 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:28.750249+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49758 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:32.243241+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49759 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:38.460754+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49760 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:43.918273+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.12 | 49761 | 104.21.77.86 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 3_2_004DD96C | |
| Source: | Code function: | 3_2_004DE9F0 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_0050E170 | |
| Source: | Code function: | 3_2_004DA2E0 | |
| Source: | Code function: | 3_2_004DA2E0 | |
| Source: | Code function: | 3_2_004E0BE0 | |
| Source: | Code function: | 3_2_004E0BE0 | |
| Source: | Code function: | 3_2_004E0BE0 | |
| Source: | Code function: | 3_2_0050DBA0 | |
| Source: | Code function: | 3_2_0050DBA0 | |
| Source: | Code function: | 3_2_00504CE0 | |
| Source: | Code function: | 3_2_004F04A0 | |
| Source: | Code function: | 3_2_004F04A0 | |
| Source: | Code function: | 3_2_004D0DA6 | |
| Source: | Code function: | 3_2_0050CE50 | |
| Source: | Code function: | 3_2_0050AEA0 | |
| Source: | Code function: | 3_2_004D1786 | |
| Source: | Code function: | 3_2_0050CF80 | |
| Source: | Code function: | 3_2_004C1040 | |
| Source: | Code function: | 3_2_0050D800 | |
| Source: | Code function: | 3_2_004F18D8 | |
| Source: | Code function: | 3_2_005068CF | |
| Source: | Code function: | 3_2_004E308F | |
| Source: | Code function: | 3_2_004E308F | |
| Source: | Code function: | 3_2_0050B880 | |
| Source: | Code function: | 3_2_004DD11E | |
| Source: | Code function: | 3_2_004EA120 | |
| Source: | Code function: | 3_2_004C19E0 | |
| Source: | Code function: | 3_2_004E218F | |
| Source: | Code function: | 3_2_004F4194 | |
| Source: | Code function: | 3_2_0050A1AD | |
| Source: | Code function: | 3_2_004F0208 | |
| Source: | Code function: | 3_2_004CC200 | |
| Source: | Code function: | 3_2_004C8A20 | |
| Source: | Code function: | 3_2_004DA220 | |
| Source: | Code function: | 3_2_004F6AC0 | |
| Source: | Code function: | 3_2_004D22E7 | |
| Source: | Code function: | 3_2_00509290 | |
| Source: | Code function: | 3_2_00509290 | |
| Source: | Code function: | 3_2_00509290 | |
| Source: | Code function: | 3_2_004E3A8D | |
| Source: | Code function: | 3_2_004CA290 | |
| Source: | Code function: | 3_2_004CA290 | |
| Source: | Code function: | 3_2_0050C340 | |
| Source: | Code function: | 3_2_0050C340 | |
| Source: | Code function: | 3_2_004EFB00 | |
| Source: | Code function: | 3_2_004F33D1 | |
| Source: | Code function: | 3_2_004F73E6 | |
| Source: | Code function: | 3_2_004F73E6 | |
| Source: | Code function: | 3_2_0050C440 | |
| Source: | Code function: | 3_2_0050C440 | |
| Source: | Code function: | 3_2_004F8C3D | |
| Source: | Code function: | 3_2_004F8C3D | |
| Source: | Code function: | 3_2_004F0C37 | |
| Source: | Code function: | 3_2_004E24F7 | |
| Source: | Code function: | 3_2_004E7C92 | |
| Source: | Code function: | 3_2_004E7C92 | |
| Source: | Code function: | 3_2_004E7C92 | |
| Source: | Code function: | 3_2_004E7C92 | |
| Source: | Code function: | 3_2_004F2C90 | |
| Source: | Code function: | 3_2_0050C550 | |
| Source: | Code function: | 3_2_0050C550 | |
| Source: | Code function: | 3_2_004CC550 | |
| Source: | Code function: | 3_2_004E3A8D | |
| Source: | Code function: | 3_2_004CBD00 | |
| Source: | Code function: | 3_2_004E6520 | |
| Source: | Code function: | 3_2_004D2536 | |
| Source: | Code function: | 3_2_0050BD2C | |
| Source: | Code function: | 3_2_004F65C2 | |
| Source: | Code function: | 3_2_004F65C2 | |
| Source: | Code function: | 3_2_004EDDDD | |
| Source: | Code function: | 3_2_004EDDDD | |
| Source: | Code function: | 3_2_0050C5F0 | |
| Source: | Code function: | 3_2_0050C5F0 | |
| Source: | Code function: | 3_2_00508D80 | |
| Source: | Code function: | 3_2_004DF595 | |
| Source: | Code function: | 3_2_004DF595 | |
| Source: | Code function: | 3_2_00508E40 | |
| Source: | Code function: | 3_2_00508E40 | |
| Source: | Code function: | 3_2_00508E40 | |
| Source: | Code function: | 3_2_0050E670 | |
| Source: | Code function: | 3_2_004DBDE2 | |
| Source: | Code function: | 3_2_004DBDE2 | |
| Source: | Code function: | 3_2_004F8EE5 | |
| Source: | Code function: | 3_2_004F8EE5 | |
| Source: | Code function: | 3_2_004F46F0 | |
| Source: | Code function: | 3_2_0050C680 | |
| Source: | Code function: | 3_2_0050C680 | |
| Source: | Code function: | 3_2_004F1F56 | |
| Source: | Code function: | 3_2_004CBF30 | |
| Source: | Code function: | 3_2_004F6FE0 | |
| Source: | Code function: | 3_2_004C2790 | |
| Source: | Code function: | 3_2_004F27A2 | |
| Source: | Code function: | 3_2_004D0FB6 | |
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 3_2_004FFEC0 | |
| Source: | Code function: | 3_2_04BF1000 | |
| Source: | Code function: | 3_2_004FFEC0 | |
| Source: | Code function: | 3_2_005000A0 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 3_2_004DD96C | |
| Source: | Code function: | 3_2_004E9100 | |
| Source: | Code function: | 3_2_004EB91B | |
| Source: | Code function: | 3_2_004F7139 | |
| Source: | Code function: | 3_2_004DE9F0 | |
| Source: | Code function: | 3_2_004EC1A2 | |
| Source: | Code function: | 3_2_004CF1B5 | |
| Source: | Code function: | 3_2_004ED1B0 | |
| Source: | Code function: | 3_2_00504A10 | |
| Source: | Code function: | 3_2_004CBA30 | |
| Source: | Code function: | 3_2_004DA2E0 | |
| Source: | Code function: | 3_2_004D53EA | |
| Source: | Code function: | 3_2_004E0BE0 | |
| Source: | Code function: | 3_2_0050DBA0 | |
| Source: | Code function: | 3_2_00504CE0 | |
| Source: | Code function: | 3_2_004F04A0 | |
| Source: | Code function: | 3_2_004D6D70 | |
| Source: | Code function: | 3_2_004CE630 | |
| Source: | Code function: | 3_2_004D1786 | |
| Source: | Code function: | 3_2_0050CF80 | |
| Source: | Code function: | 3_2_004C1040 | |
| Source: | Code function: | 3_2_004CD840 | |
| Source: | Code function: | 3_2_004DD05D | |
| Source: | Code function: | 3_2_004D687A | |
| Source: | Code function: | 3_2_0050D800 | |
| Source: | Code function: | 3_2_004FF820 | |
| Source: | Code function: | 3_2_004F18D8 | |
| Source: | Code function: | 3_2_005058E0 | |
| Source: | Code function: | 3_2_005068E5 | |
| Source: | Code function: | 3_2_004E308F | |
| Source: | Code function: | 3_2_004DB88E | |
| Source: | Code function: | 3_2_004D6088 | |
| Source: | Code function: | 3_2_004CB950 | |
| Source: | Code function: | 3_2_004E4950 | |
| Source: | Code function: | 3_2_004EA120 | |
| Source: | Code function: | 3_2_004E41E0 | |
| Source: | Code function: | 3_2_004ED980 | |
| Source: | Code function: | 3_2_005071B4 | |
| Source: | Code function: | 3_2_0050A1AD | |
| Source: | Code function: | 3_2_00504240 | |
| Source: | Code function: | 3_2_0050326A | |
| Source: | Code function: | 3_2_004C8A20 | |
| Source: | Code function: | 3_2_004FD220 | |
| Source: | Code function: | 3_2_004C2AD0 | |
| Source: | Code function: | 3_2_00509290 | |
| Source: | Code function: | 3_2_004E3A8D | |
| Source: | Code function: | 3_2_004E9A80 | |
| Source: | Code function: | 3_2_004D2A9E | |
| Source: | Code function: | 3_2_004CA290 | |
| Source: | Code function: | 3_2_004CFA90 | |
| Source: | Code function: | 3_2_004F82AB | |
| Source: | Code function: | 3_2_004DF347 | |
| Source: | Code function: | 3_2_004FBB42 | |
| Source: | Code function: | 3_2_0050C340 | |
| Source: | Code function: | 3_2_004E4B50 | |
| Source: | Code function: | 3_2_004DCB64 | |
| Source: | Code function: | 3_2_004DBB66 | |
| Source: | Code function: | 3_2_004FFB70 | |
| Source: | Code function: | 3_2_004EFB00 | |
| Source: | Code function: | 3_2_004CD310 | |
| Source: | Code function: | 3_2_004F0B20 | |
| Source: | Code function: | 3_2_004D43C4 | |
| Source: | Code function: | 3_2_004F73E6 | |
| Source: | Code function: | 3_2_004E2BA0 | |
| Source: | Code function: | 3_2_00506450 | |
| Source: | Code function: | 3_2_00502453 | |
| Source: | Code function: | 3_2_004EDC40 | |
| Source: | Code function: | 3_2_0050C440 | |
| Source: | Code function: | 3_2_00505C60 | |
| Source: | Code function: | 3_2_004CCC10 | |
| Source: | Code function: | 3_2_004D3420 | |
| Source: | Code function: | 3_2_004F0C37 | |
| Source: | Code function: | 3_2_004EECC0 | |
| Source: | Code function: | 3_2_00502CC8 | |
| Source: | Code function: | 3_2_004C34D0 | |
| Source: | Code function: | 3_2_004E7C92 | |
| Source: | Code function: | 3_2_0050D4A0 | |
| Source: | Code function: | 3_2_004F74BB | |
| Source: | Code function: | 3_2_004C94B0 | |
| Source: | Code function: | 3_2_0050C550 | |
| Source: | Code function: | 3_2_004E4540 | |
| Source: | Code function: | 3_2_004CC550 | |
| Source: | Code function: | 3_2_004E3A8D | |
| Source: | Code function: | 3_2_004CBD00 | |
| Source: | Code function: | 3_2_004FED14 | |
| Source: | Code function: | 3_2_004C7D10 | |
| Source: | Code function: | 3_2_004FAD24 | |
| Source: | Code function: | 3_2_004F3D20 | |
| Source: | Code function: | 3_2_004FF520 | |
| Source: | Code function: | 3_2_004D2536 | |
| Source: | Code function: | 3_2_004F65C2 | |
| Source: | Code function: | 3_2_004EDDDD | |
| Source: | Code function: | 3_2_0050C5F0 | |
| Source: | Code function: | 3_2_004FE5E4 | |
| Source: | Code function: | 3_2_004DF595 | |
| Source: | Code function: | 3_2_004F35B1 | |
| Source: | Code function: | 3_2_00508E40 | |
| Source: | Code function: | 3_2_004C3E70 | |
| Source: | Code function: | 3_2_004DBDE2 | |
| Source: | Code function: | 3_2_004D3634 | |
| Source: | Code function: | 3_2_004DDEE0 | |
| Source: | Code function: | 3_2_0050C680 | |
| Source: | Code function: | 3_2_004E66B0 | |
| Source: | Code function: | 3_2_004C6F46 | |
| Source: | Code function: | 3_2_004C4752 | |
| Source: | Code function: | 3_2_004DC76A | |
| Source: | Code function: | 3_2_004CEF3E | |
| Source: | Code function: | 3_2_004C8F30 | |
| Source: | Code function: | 3_2_004EF730 | |
| Source: | Code function: | 3_2_00503FE0 | |
| Source: | Code function: | 3_2_004F1FF0 | |
| Source: | Code function: | 3_2_004F27A2 | |
| Source: | Code function: | 3_2_004EC7B2 | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 3_2_00504CE0 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_004FB272 | |
| Source: | Code function: | 3_2_004D1DF5 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_3-22755 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 3_2_0050A8C0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 221 Security Software Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | 3 Clipboard Data | 14 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 22 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 53% | Virustotal | Browse | ||
| 45% | ReversingLabs | Win32.Spyware.Lummastealer | ||
| 100% | Avira | TR/AVI.Agent.mbnux |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| t.me | 149.154.167.99 | true | false | high | |
| astralconnec.icu | 104.21.77.86 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown | |
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.77.86 | astralconnec.icu | United States | 13335 | CLOUDFLARENETUS | false | |
| 149.154.167.99 | t.me | United Kingdom | 62041 | TELEGRAMRU | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1633711 |
| Start date and time: | 2025-03-10 15:31:58 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 8s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | External2.4.exe1.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 172.202.163.200
- Excluded domains from analysis (whitelisted): otelrules.svc.static.microsoft, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target External2.4.exe1.exe, PID 6920 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 10:34:06 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.77.86 | Get hash | malicious | Unknown | Browse |
| |
| 149.154.167.99 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Cinoshi Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| t.me | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| astralconnec.icu | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer, Xmrig | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Gabagool | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer, Xmrig | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.423124146416205 |
| TrID: |
|
| File name: | External2.4.exe1.exe |
| File size: | 6'304'256 bytes |
| MD5: | 2827bd97bb778245fccff32ab3f8f69c |
| SHA1: | 77ed291391e5809bcdeec8a549fdeccf51e36ceb |
| SHA256: | 945837960320128c8b37dcabd74b1e754f2281b463d5a3e07c71052106d702bd |
| SHA512: | be9bdf238f1f8c1a958c8d5a7236043b16c39739ed753952678abdbdccb7cd5e6adff805e62e732a5466d2c54d165b1aac54581b090152a0dda12b3e8c8738fe |
| SSDEEP: | 49152:DhJgxB5z0PoeF1qhpumjIKuYj/wRcUSyE2VK4MFHWwBUBqF7WNfI/ZkPgBcqLIki:DLgxBmh1qh0eI4U3K4MF2ODa |
| TLSH: | 84564B40F9DB14F5EA03293244A7A27F17346D094B38CFD7DA50BF6AEC776A10932A19 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........._..............l-..........n.......@Z...@..........................@c......O`...@................................ |
 | |
| Icon Hash: | 337171f1f1727217 |
| Entrypoint: | 0x466eb0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 9cbefe68f395e67356e2a5d8d1b285c0 |
| Instruction |
|---|
| jmp 00007F65ACC180B0h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ecx, dword ptr [esp+04h] |
| sub esp, 28h |
| mov dword ptr [esp+1Ch], ebx |
| mov dword ptr [esp+10h], ebp |
| mov dword ptr [esp+14h], esi |
| mov dword ptr [esp+18h], edi |
| mov esi, eax |
| mov edx, dword ptr fs:[00000014h] |
| cmp edx, 00000000h |
| jne 00007F65ACC1A3E9h |
| mov eax, 00000000h |
| jmp 00007F65ACC1A446h |
| mov edx, dword ptr [edx+00000000h] |
| cmp edx, 00000000h |
| jne 00007F65ACC1A3E7h |
| call 00007F65ACC1A4D9h |
| mov dword ptr [esp+20h], edx |
| mov dword ptr [esp+24h], esp |
| mov ebx, dword ptr [edx+18h] |
| mov ebx, dword ptr [ebx] |
| cmp edx, ebx |
| je 00007F65ACC1A3FAh |
| mov ebp, dword ptr fs:[00000014h] |
| mov dword ptr [ebp+00000000h], ebx |
| mov edi, dword ptr [ebx+1Ch] |
| sub edi, 28h |
| mov dword ptr [edi+24h], esp |
| mov esp, edi |
| mov ebx, dword ptr [ecx] |
| mov ecx, dword ptr [ecx+04h] |
| mov dword ptr [esp], ebx |
| mov dword ptr [esp+04h], ecx |
| mov dword ptr [esp+08h], edx |
| call esi |
| mov eax, dword ptr [esp+0Ch] |
| mov esp, dword ptr [esp+24h] |
| mov edx, dword ptr [esp+20h] |
| mov ebp, dword ptr fs:[00000014h] |
| mov dword ptr [ebp+00000000h], edx |
| mov edi, dword ptr [esp+18h] |
| mov esi, dword ptr [esp+14h] |
| mov ebp, dword ptr [esp+10h] |
| mov ebx, dword ptr [esp+1Ch] |
| add esp, 28h |
| retn 0004h |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ecx, dword ptr [esp+04h] |
| mov edx, dword ptr [ecx] |
| mov eax, esp |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x60b000 | 0x3dc | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x62e000 | 0x5cc9 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x60c000 | 0x20ea4 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x5a4a20 | 0xa0 | .data |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2d6ac5 | 0x2d6c00 | d55f5ff7a469492a06f4d92d4bf60392 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2d8000 | 0x2cbb9c | 0x2cbc00 | bb459bdab0ef51182a8a5afe930f1d5c | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x5a4000 | 0x66b88 | 0x39200 | d05f475e6eaf9ee4e587c5f57a3dd8a6 | False | 0.4472784463894967 | data | 5.809484475247708 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x60b000 | 0x3dc | 0x400 | e086a3cf2b26635ff8a317e9f679ba68 | False | 0.490234375 | data | 4.665217210783635 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x60c000 | 0x20ea4 | 0x21000 | 1eff8098e477d5c0de89cfe96b77ca51 | False | 0.6142800071022727 | data | 6.673534674009906 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .symtab | 0x62d000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x62e000 | 0x5cc9 | 0x5e00 | 4a1b898fe700a17b1d71b54e7240fd09 | False | 0.3838098404255319 | data | 4.511401892727485 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x62e220 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | English | United States | 0.5567697228144989 |
| RT_ICON | 0x62f0c8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | English | United States | 0.6290613718411552 |
| RT_ICON | 0x62f970 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | English | United States | 0.5664739884393064 |
| RT_ICON | 0x62fed8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.2761410788381743 |
| RT_ICON | 0x632480 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.34709193245778613 |
| RT_ICON | 0x633528 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.49379432624113473 |
| RT_GROUP_ICON | 0x633990 | 0x5a | data | English | United States | 0.7 |
| RT_VERSION | 0x6339ec | 0x1a8 | data | English | United States | 0.5377358490566038 |
| RT_MANIFEST | 0x633b94 | 0x135 | ASCII text | English | United States | 0.6957928802588996 |
| DLL | Import |
|---|---|
| kernel32.dll | WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
| Description | Data |
|---|---|
| FileDescription | ImDisk Toolkit Configuration |
| ProductName | imdisk |
| ProductVersion | 11.1.1.0 |
| Translation | 0x0409 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-10T15:34:06.332051+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49749 | 149.154.167.99 | 443 | TCP |
| 2025-03-10T15:34:08.248576+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49752 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:10.013872+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49753 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:22.446407+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49755 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:25.448595+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49757 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:28.750249+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49758 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:32.243241+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49759 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:38.460754+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49760 | 104.21.77.86 | 443 | TCP |
| 2025-03-10T15:34:43.918273+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.12 | 49761 | 104.21.77.86 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 10, 2025 15:34:04.299082041 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:04.299137115 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:04.299211979 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:04.302695036 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:04.302714109 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:06.331983089 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:06.332051039 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:06.359443903 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:06.359462976 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:06.359831095 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:06.410692930 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:06.725281000 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:06.768330097 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.499977112 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.500049114 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.500068903 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.500118017 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.500200033 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:07.500221014 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.500260115 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:07.500283957 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.500345945 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:07.503237009 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:07.503269911 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.503284931 CET | 49749 | 443 | 192.168.2.12 | 149.154.167.99 |
| Mar 10, 2025 15:34:07.503295898 CET | 443 | 49749 | 149.154.167.99 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.566018105 CET | 49752 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:07.566068888 CET | 443 | 49752 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.566165924 CET | 49752 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:07.566467047 CET | 49752 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:07.566476107 CET | 443 | 49752 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:08.248575926 CET | 49752 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:08.250442028 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:08.250509977 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:08.251013041 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:08.251013041 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:08.251046896 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:10.013777018 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:10.013871908 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:10.066951990 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:10.066975117 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:10.067831993 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:10.070307970 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:10.070415020 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:10.070468903 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.583307981 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.590419054 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.590461016 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.590521097 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.590545893 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.590679884 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.684215069 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.714447975 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.714479923 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.714534044 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.714555979 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.715001106 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.729748011 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.739289045 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.739855051 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.739870071 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.744992018 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.745158911 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.745158911 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.745426893 CET | 49753 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.745443106 CET | 443 | 49753 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.981950045 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.981997013 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:19.982075930 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.982382059 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:19.982393026 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:22.446217060 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:22.446407080 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:22.450078964 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:22.450110912 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:22.450427055 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:22.459647894 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:22.459862947 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:22.459904909 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:23.318047047 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:23.318219900 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:23.318301916 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:23.382932901 CET | 49755 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:23.383008003 CET | 443 | 49755 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:23.515553951 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:23.515598059 CET | 443 | 49757 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:23.515727043 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:23.515976906 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:23.515996933 CET | 443 | 49757 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:25.448493958 CET | 443 | 49757 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:25.448595047 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:25.449845076 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:25.449857950 CET | 443 | 49757 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:25.450222969 CET | 443 | 49757 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:25.451983929 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:25.452100039 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:25.452130079 CET | 443 | 49757 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:25.452184916 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:25.452193022 CET | 443 | 49757 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:26.436609983 CET | 443 | 49757 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:26.448710918 CET | 49757 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:26.667700052 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:26.667761087 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:26.667841911 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:26.668153048 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:26.668169975 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:28.750077963 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:28.750248909 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:28.751523972 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:28.751537085 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:28.751818895 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:28.753020048 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:28.753166914 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:28.753201008 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:28.753268003 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:28.753278971 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:29.812520981 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:29.812802076 CET | 443 | 49758 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:29.812903881 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:29.813529968 CET | 49758 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:30.259974957 CET | 49759 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:30.260034084 CET | 443 | 49759 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:30.260116100 CET | 49759 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:30.260426998 CET | 49759 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:30.260442972 CET | 443 | 49759 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:32.243067026 CET | 443 | 49759 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:32.243241072 CET | 49759 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:32.244858027 CET | 49759 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:32.244874001 CET | 443 | 49759 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:32.245203972 CET | 443 | 49759 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:32.246412039 CET | 49759 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:32.246532917 CET | 49759 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:32.246548891 CET | 443 | 49759 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:36.022126913 CET | 443 | 49759 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:36.022525072 CET | 49759 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:36.534595013 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:36.534656048 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:36.534759045 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:36.535100937 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:36.535110950 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.460635900 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.460753918 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.462049961 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.462064028 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.462315083 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.476939917 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.477777004 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.477804899 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.477890015 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.477914095 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478015900 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478049040 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478163004 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478197098 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478321075 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478353977 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478503942 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478538990 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478542089 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478553057 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478691101 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478734970 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478735924 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478750944 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478894949 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478945971 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478976011 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.478980064 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.478995085 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.479110956 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.479160070 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.479178905 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:38.479190111 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:38.479235888 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:41.850821018 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:41.850930929 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:41.851021051 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:41.851623058 CET | 49760 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:41.851644039 CET | 443 | 49760 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:41.881639004 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:41.881688118 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:41.881788969 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:41.882113934 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:41.882129908 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:43.918123007 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:43.918272972 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:43.919579983 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:43.919589043 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:43.919852018 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:43.926943064 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:43.926966906 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:43.927025080 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.646819115 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.646889925 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.646920919 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.646951914 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.647022963 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:44.647042036 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.647078037 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:44.653322935 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.653397083 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:44.653413057 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.660154104 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.660218000 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.660233021 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:44.660247087 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.660283089 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.660284042 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:44.660331011 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:44.677963018 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:44.677980900 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Mar 10, 2025 15:34:44.677994013 CET | 49761 | 443 | 192.168.2.12 | 104.21.77.86 |
| Mar 10, 2025 15:34:44.678000927 CET | 443 | 49761 | 104.21.77.86 | 192.168.2.12 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 10, 2025 15:34:04.285346985 CET | 52425 | 53 | 192.168.2.12 | 1.1.1.1 |
| Mar 10, 2025 15:34:04.292573929 CET | 53 | 52425 | 1.1.1.1 | 192.168.2.12 |
| Mar 10, 2025 15:34:07.549084902 CET | 52525 | 53 | 192.168.2.12 | 1.1.1.1 |
| Mar 10, 2025 15:34:07.564724922 CET | 53 | 52525 | 1.1.1.1 | 192.168.2.12 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 10, 2025 15:34:04.285346985 CET | 192.168.2.12 | 1.1.1.1 | 0x31d8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 10, 2025 15:34:07.549084902 CET | 192.168.2.12 | 1.1.1.1 | 0xb51c | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 10, 2025 15:34:04.292573929 CET | 1.1.1.1 | 192.168.2.12 | 0x31d8 | No error (0) | 149.154.167.99 | A (IP address) | IN (0x0001) | false | ||
| Mar 10, 2025 15:34:07.564724922 CET | 1.1.1.1 | 192.168.2.12 | 0xb51c | No error (0) | 104.21.77.86 | A (IP address) | IN (0x0001) | false | ||
| Mar 10, 2025 15:34:07.564724922 CET | 1.1.1.1 | 192.168.2.12 | 0xb51c | No error (0) | 172.67.205.192 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.12 | 49749 | 149.154.167.99 | 443 | 6508 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-10 14:34:06 UTC | 61 | OUT | |
| 2025-03-10 14:34:07 UTC | 511 | IN | |
| 2025-03-10 14:34:07 UTC | 12334 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.12 | 49753 | 104.21.77.86 | 443 | 6508 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-10 14:34:10 UTC | 267 | OUT | |
| 2025-03-10 14:34:10 UTC | 65 | OUT | |
| 2025-03-10 14:34:19 UTC | 785 | IN | |
| 2025-03-10 14:34:19 UTC | 1369 | IN | |
| 2025-03-10 14:34:19 UTC | 1369 | IN | |
| 2025-03-10 14:34:19 UTC | 1369 | IN | |
| 2025-03-10 14:34:19 UTC | 1369 | IN | |
| 2025-03-10 14:34:19 UTC | 142 | IN | |
| 2025-03-10 14:34:19 UTC | 1369 | IN | |
| 2025-03-10 14:34:19 UTC | 1369 | IN | |
| 2025-03-10 14:34:19 UTC | 1369 | IN | |
| 2025-03-10 14:34:19 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.12 | 49755 | 104.21.77.86 | 443 | 6508 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-10 14:34:22 UTC | 278 | OUT | |
| 2025-03-10 14:34:22 UTC | 14500 | OUT | |
| 2025-03-10 14:34:23 UTC | 825 | IN | |
| 2025-03-10 14:34:23 UTC | 76 | IN | |
| 2025-03-10 14:34:23 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.12 | 49757 | 104.21.77.86 | 443 | 6508 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-10 14:34:25 UTC | 283 | OUT | |
| 2025-03-10 14:34:25 UTC | 15069 | OUT | |
| 2025-03-10 14:34:26 UTC | 818 | IN | |
| 2025-03-10 14:34:26 UTC | 76 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.12 | 49758 | 104.21.77.86 | 443 | 6508 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-10 14:34:28 UTC | 282 | OUT | |
| 2025-03-10 14:34:28 UTC | 15331 | OUT | |
| 2025-03-10 14:34:28 UTC | 4909 | OUT | |
| 2025-03-10 14:34:29 UTC | 813 | IN | |
| 2025-03-10 14:34:29 UTC | 76 | IN | |
| 2025-03-10 14:34:29 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.12 | 49759 | 104.21.77.86 | 443 | 6508 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-10 14:34:32 UTC | 284 | OUT | |
| 2025-03-10 14:34:32 UTC | 2347 | OUT | |
| 2025-03-10 14:34:36 UTC | 815 | IN | |
| 2025-03-10 14:34:36 UTC | 76 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.12 | 49760 | 104.21.77.86 | 443 | 6508 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-10 14:34:38 UTC | 280 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:38 UTC | 15331 | OUT | |
| 2025-03-10 14:34:41 UTC | 819 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.12 | 49761 | 104.21.77.86 | 443 | 6508 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-10 14:34:43 UTC | 268 | OUT | |
| 2025-03-10 14:34:43 UTC | 103 | OUT | |
| 2025-03-10 14:34:44 UTC | 788 | IN | |
| 2025-03-10 14:34:44 UTC | 581 | IN | |
| 2025-03-10 14:34:44 UTC | 1369 | IN | |
| 2025-03-10 14:34:44 UTC | 1369 | IN | |
| 2025-03-10 14:34:44 UTC | 1369 | IN | |
| 2025-03-10 14:34:44 UTC | 1369 | IN | |
| 2025-03-10 14:34:44 UTC | 1369 | IN | |
| 2025-03-10 14:34:44 UTC | 1369 | IN | |
| 2025-03-10 14:34:44 UTC | 1369 | IN | |
| 2025-03-10 14:34:44 UTC | 291 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:33:22 |
| Start date: | 10/03/2025 |
| Path: | C:\Users\user\Desktop\External2.4.exe1.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x90000 |
| File size: | 6'304'256 bytes |
| MD5 hash: | 2827BD97BB778245FCCFF32AB3F8F69C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 10:33:55 |
| Start date: | 10/03/2025 |
| Path: | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x780000 |
| File size: | 231'736 bytes |
| MD5 hash: | A64BEAB5D4516BECA4C40B25DC0C1CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | false |