Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe |
| Analysis ID: | 1640351 |
| MD5: | b18d980cfdce9f0758cdc8db9e7f6bf4 |
| SHA1: | 5afe3fc037fcd313d26f01b2dfc0b00300ffb047 |
| SHA256: | 3ee484b7245b7f30f8301359e525b219d8343cbbd407b266db4429b676f1653a |
| Tags: | exeuser-SecuriteInfoCom |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe (PID: 7836 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Malw areX-gen.7 894.13424. exe" MD5: B18D980CFDCE9F0758CDC8DB9E7F6BF4) 
conhost.exe (PID: 7844 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
MSBuild.exe (PID: 7892 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
- cleanup
{"C2 url": ["rugbybrign.life/gKAozj", "caliberc.today/KowpqlL", "pistolpra.bet/dABYyaz", "weaponwo.life/NghsayA", "armamenti.world/dsIOQn", "selfdefens.bet/dASBUz", "targett.top/dsANGt", "armoryarch.shop/GiqwY"], "Build id": "ec7bcfffdb54957750b0c5a151d2a749a011650e4d2dd6aa0ea4c9ac"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Kiran kumar s, oscd.community: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-17T08:20:11.062614+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49711 | 149.154.167.99 | 443 | TCP |
| 2025-03-17T08:20:11.950375+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49712 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:13.153460+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49713 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:14.178888+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49714 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:15.203038+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49717 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:16.457199+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49718 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:17.617692+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49720 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:19.605021+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49722 | 104.21.32.1 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_0041C378 | |
| Source: | Code function: | 2_2_0041B570 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF748B011D4 | |
| Source: | Code function: | 0_2_00007FF748B01358 | |
| Source: | Code function: | 2_2_00412042 | |
| Source: | Code function: | 2_2_0044D090 | |
| Source: | Code function: | 2_2_0042E9A0 | |
| Source: | Code function: | 2_2_004119BB | |
| Source: | Code function: | 2_2_00420A00 | |
| Source: | Code function: | 2_2_00420A00 | |
| Source: | Code function: | 2_2_0044CAF0 | |
| Source: | Code function: | 2_2_00435B69 | |
| Source: | Code function: | 2_2_00435B69 | |
| Source: | Code function: | 2_2_00435B69 | |
| Source: | Code function: | 2_2_0041B570 | |
| Source: | Code function: | 2_2_0041B570 | |
| Source: | Code function: | 2_2_0041B570 | |
| Source: | Code function: | 2_2_00401040 | |
| Source: | Code function: | 2_2_00411040 | |
| Source: | Code function: | 2_2_0041A870 | |
| Source: | Code function: | 2_2_0041A870 | |
| Source: | Code function: | 2_2_0041A870 | |
| Source: | Code function: | 2_2_0043282C | |
| Source: | Code function: | 2_2_004328C8 | |
| Source: | Code function: | 2_2_004288D0 | |
| Source: | Code function: | 2_2_0042C0D1 | |
| Source: | Code function: | 2_2_00431160 | |
| Source: | Code function: | 2_2_00440900 | |
| Source: | Code function: | 2_2_00436917 | |
| Source: | Code function: | 2_2_0040EA7C | |
| Source: | Code function: | 2_2_0040C200 | |
| Source: | Code function: | 2_2_00408A10 | |
| Source: | Code function: | 2_2_0042E2C0 | |
| Source: | Code function: | 2_2_004372F5 | |
| Source: | Code function: | 2_2_0040A350 | |
| Source: | Code function: | 2_2_0040A350 | |
| Source: | Code function: | 2_2_0041CB18 | |
| Source: | Code function: | 2_2_00448320 | |
| Source: | Code function: | 2_2_0044AB23 | |
| Source: | Code function: | 2_2_0044B330 | |
| Source: | Code function: | 2_2_0044B330 | |
| Source: | Code function: | 2_2_004383C6 | |
| Source: | Code function: | 2_2_0040C3D0 | |
| Source: | Code function: | 2_2_0044B3D0 | |
| Source: | Code function: | 2_2_0044B3D0 | |
| Source: | Code function: | 2_2_00428380 | |
| Source: | Code function: | 2_2_0041A390 | |
| Source: | Code function: | 2_2_00438452 | |
| Source: | Code function: | 2_2_00431460 | |
| Source: | Code function: | 2_2_0044B460 | |
| Source: | Code function: | 2_2_0044B460 | |
| Source: | Code function: | 2_2_0040D4C0 | |
| Source: | Code function: | 2_2_0044D4E0 | |
| Source: | Code function: | 2_2_00432CF0 | |
| Source: | Code function: | 2_2_00430522 | |
| Source: | Code function: | 2_2_00427DC0 | |
| Source: | Code function: | 2_2_00427DC0 | |
| Source: | Code function: | 2_2_0042EDF0 | |
| Source: | Code function: | 2_2_00445580 | |
| Source: | Code function: | 2_2_0041F642 | |
| Source: | Code function: | 2_2_00447E40 | |
| Source: | Code function: | 2_2_00434E68 | |
| Source: | Code function: | 2_2_00437E14 | |
| Source: | Code function: | 2_2_0041EEE2 | |
| Source: | Code function: | 2_2_0044A6F0 | |
| Source: | Code function: | 2_2_00430E89 | |
| Source: | Code function: | 2_2_0042DF70 | |
| Source: | Code function: | 2_2_0042BF00 | |
| Source: | Code function: | 2_2_0041D01D | |
| Source: | Code function: | 2_2_00423F10 | |
| Source: | Code function: | 2_2_00430724 | |
| Source: | Code function: | 2_2_0040C730 | |
| Source: | Code function: | 2_2_0041A7B0 | |
| Source: | Code function: | 2_2_0044C7B0 | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_0043E7C0 | |
| Source: | Code function: | 2_2_03371000 | |
| Source: | Code function: | 2_2_0043E7C0 | |
| Source: | Code function: | 2_2_0043F1BF | |
| Source: | Code function: | 0_2_00007FF748B072EC | |
| Source: | Code function: | 0_2_00007FF748B011D4 | |
| Source: | Code function: | 0_2_00007FF748AF5E00 | |
| Source: | Code function: | 0_2_00007FF748AF51F0 | |
| Source: | Code function: | 0_2_00007FF748AF4DE0 | |
| Source: | Code function: | 0_2_00007FF748AED920 | |
| Source: | Code function: | 0_2_00007FF748AF0170 | |
| Source: | Code function: | 0_2_00007FF748AEDD60 | |
| Source: | Code function: | 0_2_00007FF748AE3ED0 | |
| Source: | Code function: | 0_2_00007FF748AF5AD0 | |
| Source: | Code function: | 0_2_00007FF748AF4AD0 | |
| Source: | Code function: | 0_2_00007FF748AEC2C0 | |
| Source: | Code function: | 0_2_00007FF748B09708 | |
| Source: | Code function: | 0_2_00007FF748AFA29C | |
| Source: | Code function: | 0_2_00007FF748AEF710 | |
| Source: | Code function: | 0_2_00007FF748AE6EE0 | |
| Source: | Code function: | 0_2_00007FF748AE2640 | |
| Source: | Code function: | 0_2_00007FF748B07A6C | |
| Source: | Code function: | 0_2_00007FF748AF1BB0 | |
| Source: | Code function: | 0_2_00007FF748AF1FA0 | |
| Source: | Code function: | 0_2_00007FF748AED3F0 | |
| Source: | Code function: | 0_2_00007FF748AEBB40 | |
| Source: | Code function: | 0_2_00007FF748AE4790 | |
| Source: | Code function: | 0_2_00007FF748AE2B70 | |
| Source: | Code function: | 0_2_00007FF748B01358 | |
| Source: | Code function: | 0_2_00007FF748AF08E0 | |
| Source: | Code function: | 0_2_00007FF748AF2450 | |
| Source: | Code function: | 0_2_00007FF748AEF440 | |
| Source: | Code function: | 0_2_00007FF748AF7880 | |
| Source: | Code function: | 0_2_00007FF748AF4060 | |
| Source: | Code function: | 2_2_0042B00F | |
| Source: | Code function: | 2_2_00417170 | |
| Source: | Code function: | 2_2_0042E9A0 | |
| Source: | Code function: | 2_2_00420A00 | |
| Source: | Code function: | 2_2_0044CAF0 | |
| Source: | Code function: | 2_2_00443AB0 | |
| Source: | Code function: | 2_2_0042B350 | |
| Source: | Code function: | 2_2_00447B50 | |
| Source: | Code function: | 2_2_00435B69 | |
| Source: | Code function: | 2_2_00412378 | |
| Source: | Code function: | 2_2_0041C378 | |
| Source: | Code function: | 2_2_0040BB10 | |
| Source: | Code function: | 2_2_0043638D | |
| Source: | Code function: | 2_2_0041B570 | |
| Source: | Code function: | 2_2_0044BE70 | |
| Source: | Code function: | 2_2_0041569F | |
| Source: | Code function: | 2_2_00443EA0 | |
| Source: | Code function: | 2_2_00449F27 | |
| Source: | Code function: | 2_2_00401040 | |
| Source: | Code function: | 2_2_00411040 | |
| Source: | Code function: | 2_2_00443060 | |
| Source: | Code function: | 2_2_0041A870 | |
| Source: | Code function: | 2_2_0042C0C0 | |
| Source: | Code function: | 2_2_0042C0D1 | |
| Source: | Code function: | 2_2_0044B0D0 | |
| Source: | Code function: | 2_2_0042F0EB | |
| Source: | Code function: | 2_2_00436917 | |
| Source: | Code function: | 2_2_004251F0 | |
| Source: | Code function: | 2_2_0043225F | |
| Source: | Code function: | 2_2_0043E260 | |
| Source: | Code function: | 2_2_00423A70 | |
| Source: | Code function: | 2_2_00408A10 | |
| Source: | Code function: | 2_2_0040BA30 | |
| Source: | Code function: | 2_2_0042E2C0 | |
| Source: | Code function: | 2_2_004432C0 | |
| Source: | Code function: | 2_2_00444AD0 | |
| Source: | Code function: | 2_2_00402AB0 | |
| Source: | Code function: | 2_2_0040A350 | |
| Source: | Code function: | 2_2_0041CB18 | |
| Source: | Code function: | 2_2_0042FB19 | |
| Source: | Code function: | 2_2_00434320 | |
| Source: | Code function: | 2_2_00448320 | |
| Source: | Code function: | 2_2_0044AB23 | |
| Source: | Code function: | 2_2_0044B330 | |
| Source: | Code function: | 2_2_0042BBC0 | |
| Source: | Code function: | 2_2_0044C3C0 | |
| Source: | Code function: | 2_2_0044B3D0 | |
| Source: | Code function: | 2_2_004163D8 | |
| Source: | Code function: | 2_2_0041E3DB | |
| Source: | Code function: | 2_2_004353D9 | |
| Source: | Code function: | 2_2_0040FBF0 | |
| Source: | Code function: | 2_2_0042A383 | |
| Source: | Code function: | 2_2_00428380 | |
| Source: | Code function: | 2_2_0044BB80 | |
| Source: | Code function: | 2_2_00445B90 | |
| Source: | Code function: | 2_2_00442BB1 | |
| Source: | Code function: | 2_2_0042045C | |
| Source: | Code function: | 2_2_0044B460 | |
| Source: | Code function: | 2_2_0041DC1A | |
| Source: | Code function: | 2_2_00424430 | |
| Source: | Code function: | 2_2_00437439 | |
| Source: | Code function: | 2_2_0040D4C0 | |
| Source: | Code function: | 2_2_0043E4F0 | |
| Source: | Code function: | 2_2_00438490 | |
| Source: | Code function: | 2_2_004034B0 | |
| Source: | Code function: | 2_2_0040AD50 | |
| Source: | Code function: | 2_2_00409570 | |
| Source: | Code function: | 2_2_0043BD70 | |
| Source: | Code function: | 2_2_00407D10 | |
| Source: | Code function: | 2_2_00422D10 | |
| Source: | Code function: | 2_2_00416D3A | |
| Source: | Code function: | 2_2_00427DC0 | |
| Source: | Code function: | 2_2_0040CDD0 | |
| Source: | Code function: | 2_2_0043C5ED | |
| Source: | Code function: | 2_2_0042EDF0 | |
| Source: | Code function: | 2_2_0040B590 | |
| Source: | Code function: | 2_2_004135B0 | |
| Source: | Code function: | 2_2_00403E50 | |
| Source: | Code function: | 2_2_0043965A | |
| Source: | Code function: | 2_2_00410670 | |
| Source: | Code function: | 2_2_0041D610 | |
| Source: | Code function: | 2_2_0042EE10 | |
| Source: | Code function: | 2_2_00437E14 | |
| Source: | Code function: | 2_2_00441ED6 | |
| Source: | Code function: | 2_2_00444ED0 | |
| Source: | Code function: | 2_2_00430E89 | |
| Source: | Code function: | 2_2_00426770 | |
| Source: | Code function: | 2_2_0042DF70 | |
| Source: | Code function: | 2_2_0042BF00 | |
| Source: | Code function: | 2_2_0044171A | |
| Source: | Code function: | 2_2_00423720 | |
| Source: | Code function: | 2_2_00439F20 | |
| Source: | Code function: | 2_2_0040C730 | |
| Source: | Code function: | 2_2_00404732 | |
| Source: | Code function: | 2_2_00448FC7 | |
| Source: | Code function: | 2_2_004457D0 | |
| Source: | Code function: | 2_2_0041FFE0 | |
| Source: | Code function: | 2_2_0043B7E0 | |
| Source: | Code function: | 2_2_00408FF0 | |
| Source: | Code function: | 2_2_0042D7FD | |
| Source: | Code function: | 2_2_0043DFB0 | |
| Source: | Code function: | 2_2_0044C7B0 | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00443EA0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_004548DA | |
| Source: | Code function: | 2_2_0044F472 | |
| Source: | Code function: | 2_2_0044F47E | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00007FF748B011D4 | |
| Source: | Code function: | 0_2_00007FF748B01358 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_2-21693 | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00449710 | |
| Source: | Code function: | 0_2_00007FF748AFAB04 | |
| Source: | Code function: | 0_2_00007FF748AFE2EC | |
| Source: | Code function: | 0_2_00007FF748AFAB04 | |
| Source: | Code function: | 0_2_00007FF748AF8704 | |
| Source: | Code function: | 0_2_00007FF748AF86F4 | |
| Source: | Code function: | 0_2_00007FF748AF8088 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF748B09520 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF748AF8570 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 241 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 3 Clipboard Data | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 33 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 52% | Virustotal | Browse | ||
| 56% | ReversingLabs | Win64.Trojan.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | high | |
| rugbybrign.life | 104.21.32.1 | true | true | unknown | |
| t.me | 149.154.167.99 | true | false | high | |
| pki-goog.l.google.com | 142.250.186.67 | true | false | high | |
| c.pki.goog | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| false |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.32.1 | rugbybrign.life | United States | 13335 | CLOUDFLARENETUS | true | |
| 149.154.167.99 | t.me | United Kingdom | 62041 | TELEGRAMRU | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1640351 |
| Start date and time: | 2025-03-17 08:19:13 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 50s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 12 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@4/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.60.203.209, 2.23.77.188, 4.245.163.56, 199.232.214.172, 20.242.39.171
- Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e3913.cd.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 03:20:10 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.32.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| 149.154.167.99 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Cinoshi Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| t.me | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer, RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| pki-goog.l.google.com | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Babadeda | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DanaBot | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | SugarDump, XWorm | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| rugbybrign.life | Get hash | malicious | LummaC Stealer | Browse |
| |
| bg.microsoft.map.fastly.net | Get hash | malicious | Sality | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Babadeda | Browse |
| ||
| Get hash | malicious | Sality | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DanaBot | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Python Stealer, Exela Stealer, Njrat | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Globeimposter | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Latrodectus, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.643117173349902 |
| TrID: |
|
| File name: | SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe |
| File size: | 588'288 bytes |
| MD5: | b18d980cfdce9f0758cdc8db9e7f6bf4 |
| SHA1: | 5afe3fc037fcd313d26f01b2dfc0b00300ffb047 |
| SHA256: | 3ee484b7245b7f30f8301359e525b219d8343cbbd407b266db4429b676f1653a |
| SHA512: | 2c32291355477e9f197f68c2be4b29eeaf585365108966c3a87ec85045509c107ee6a1c99356b604dce83fc1f43f0f1f3d50c413b4fa00980a69879a4023a2f8 |
| SSDEEP: | 12288:1WCzTM2dzPblUrAv5oSZAROpMHq1xw86W40tqTIriQX+C1K8fTrvlU:1UePp94O6W4NMawlU |
| TLSH: | 81C4E16E32561CEAED73487CCED57A45DA73382A8F11CBF706A441211E235D29D3EB22 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....}.g.........."............................@.............................p............`........................................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x14001831c |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67D57DF5 [Sat Mar 15 13:17:41 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | fd2739e7ebf69dea0556a52b87570850 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007FF574CE2BA0h |
| dec eax |
| add esp, 28h |
| jmp 00007FF574CE27C7h |
| int3 |
| int3 |
| dec eax |
| sub esp, 28h |
| call 00007FF574CE2964h |
| dec eax |
| neg eax |
| sbb eax, eax |
| neg eax |
| dec eax |
| dec eax |
| add esp, 28h |
| ret |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| cmp dword ptr [0001E092h], FFFFFFFFh |
| dec eax |
| mov ebx, ecx |
| jne 00007FF574CE2959h |
| call 00007FF574CE4881h |
| jmp 00007FF574CE2961h |
| dec eax |
| mov edx, ebx |
| dec eax |
| lea ecx, dword ptr [0001E07Ch] |
| call 00007FF574CE47E4h |
| xor edx, edx |
| test eax, eax |
| dec eax |
| cmove edx, ebx |
| dec eax |
| mov eax, edx |
| dec eax |
| add esp, 20h |
| pop ebx |
| ret |
| int3 |
| int3 |
| dec eax |
| sub esp, 18h |
| dec esp |
| mov eax, ecx |
| mov eax, 00005A4Dh |
| cmp word ptr [FFFE7C69h], ax |
| jne 00007FF574CE29CAh |
| dec eax |
| arpl word ptr [FFFE7C9Ch], cx |
| dec eax |
| lea edx, dword ptr [FFFE7C59h] |
| dec eax |
| add ecx, edx |
| cmp dword ptr [ecx], 00004550h |
| jne 00007FF574CE29B1h |
| mov eax, 0000020Bh |
| cmp word ptr [ecx+18h], ax |
| jne 00007FF574CE29A6h |
| dec esp |
| sub eax, edx |
| movzx edx, word ptr [ecx+14h] |
| dec eax |
| add edx, 18h |
| dec eax |
| add edx, ecx |
| movzx eax, word ptr [ecx+06h] |
| dec eax |
| lea ecx, dword ptr [eax+eax*4] |
| dec esp |
| lea ecx, dword ptr [edx+ecx*8] |
| dec eax |
| mov dword ptr [esp], edx |
| dec ecx |
| cmp edx, ecx |
| je 00007FF574CE296Ah |
| mov ecx, dword ptr [edx+0Ch] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x32c78 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x38000 | 0x15b4 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3e000 | 0x668 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2b1e0 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x32f08 | 0x268 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x29aa7 | 0x29c00 | bc39eb6dd60785e4180e7c7cbb3afa99 | False | 0.5047717065868264 | data | 6.600671819762486 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2b000 | 0x9c0c | 0x9e00 | 87242c2b164715b145e7eeeb049c8f17 | False | 0.41544699367088606 | data | 4.795620390693286 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x35000 | 0x2040 | 0xc00 | da54f09d231e8fd39b1de467f9d4a7c5 | False | 0.17805989583333334 | data | 2.440587319916063 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x38000 | 0x15b4 | 0x1600 | 092a09f2375815764b7919ab42978e4d | False | 0.4836647727272727 | data | 5.410912571801746 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .gxfg | 0x3a000 | 0x13e0 | 0x1400 | 07ef09fd727107c6620b60102558fa00 | False | 0.43828125 | PGP symmetric key encrypted data - Plaintext or unencrypted data | 5.090449058306497 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .retplne | 0x3c000 | 0x8c | 0x200 | 8c950f651287cbc1296bcb4e8cd7e990 | False | 0.126953125 | data | 1.050583247971927 | |
| _RDATA | 0x3d000 | 0x1f4 | 0x200 | 7b11f7add986212d544d974c3e5f9c4f | False | 0.53125 | data | 4.225546917809558 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x3e000 | 0x668 | 0x800 | edea3649b03d6ab7210f59a9f658694e | False | 0.501953125 | data | 4.9254112948995346 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .bss | 0x3f000 | 0x57800 | 0x57800 | 838b40afaca0bfe6f96480f9afb914ae | False | 1.0003236607142858 | data | 7.9994845828140875 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileW, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-17T08:20:11.062614+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49711 | 149.154.167.99 | 443 | TCP |
| 2025-03-17T08:20:11.950375+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49712 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:13.153460+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49713 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:14.178888+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49714 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:15.203038+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49717 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:16.457199+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49718 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:17.617692+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49720 | 104.21.32.1 | 443 | TCP |
| 2025-03-17T08:20:19.605021+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49722 | 104.21.32.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 17, 2025 08:20:10.414917946 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:10.414963961 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:10.415024042 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:10.417618990 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:10.417634964 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.062391996 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.062613964 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.065653086 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.065664053 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.065884113 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.109651089 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.152327061 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.435384035 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.435404062 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.435417891 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.435447931 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.435475111 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.435497999 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.435509920 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.435511112 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.435533047 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.435559988 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.464159012 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.464179039 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.464188099 CET | 49711 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 08:20:11.464194059 CET | 443 | 49711 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.481889963 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:11.481913090 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.481987000 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:11.482240915 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:11.482255936 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.626147985 CET | 49671 | 443 | 192.168.2.4 | 204.79.197.203 |
| Mar 17, 2025 08:20:11.938119888 CET | 49671 | 443 | 192.168.2.4 | 204.79.197.203 |
| Mar 17, 2025 08:20:11.950179100 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.950375080 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:11.976377010 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:11.976397038 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.976634026 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.988158941 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:11.988158941 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:11.988244057 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.372697115 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.372751951 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.372777939 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.372802019 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.372803926 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.372822046 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.372845888 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.373311996 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.373342037 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.373352051 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.373358965 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.373395920 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.377224922 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.377280951 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.377305031 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.377521038 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.377530098 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.377564907 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.484486103 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.484543085 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.484589100 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.511218071 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.511234999 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.511245966 CET | 49712 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.511250973 CET | 443 | 49712 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.547445059 CET | 49671 | 443 | 192.168.2.4 | 204.79.197.203 |
| Mar 17, 2025 08:20:12.686953068 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.686995983 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:12.687072992 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.687429905 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:12.687443018 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.153287888 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.153460026 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.154548883 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.154565096 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.154787064 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.155853033 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.155977964 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.156008005 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.156064987 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.156073093 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.696868896 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.696969986 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.697155952 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.697186947 CET | 49713 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.697202921 CET | 443 | 49713 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.714837074 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.714871883 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.714957952 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.715277910 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:13.715290070 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:13.750695944 CET | 49671 | 443 | 192.168.2.4 | 204.79.197.203 |
| Mar 17, 2025 08:20:14.178818941 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:14.178888083 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.180360079 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.180366993 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:14.180589914 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:14.184290886 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.186284065 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.186317921 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:14.667990923 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:14.668078899 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:14.668253899 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.668283939 CET | 49714 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.668299913 CET | 443 | 49714 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:14.746360064 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.746406078 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:14.746480942 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.746773005 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:14.746786118 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.202843904 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.203037977 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.225589991 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.225606918 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.225822926 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.266218901 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.268193007 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.268400908 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.268425941 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.268501997 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.268512964 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.800735950 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.800826073 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.800875902 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.800968885 CET | 49717 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.800990105 CET | 443 | 49717 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.971873999 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.971920013 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:15.971998930 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.972839117 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:15.972855091 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:16.156969070 CET | 49671 | 443 | 192.168.2.4 | 204.79.197.203 |
| Mar 17, 2025 08:20:16.457128048 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:16.457199097 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:16.458352089 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:16.458362103 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:16.458616972 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:16.461519957 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:16.461600065 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:16.461613894 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:16.900300026 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:16.900424004 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:16.900509119 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:16.900712013 CET | 49718 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:16.900724888 CET | 443 | 49718 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.161062956 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.161098003 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.161212921 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.161516905 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.161529064 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.617465973 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.617691994 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.619292021 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.619299889 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.619497061 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.620800018 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.621776104 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.621810913 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.621906042 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.621938944 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.622036934 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.622143984 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.622266054 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.622289896 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.622415066 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.622443914 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.622571945 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.622600079 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.622601032 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.622622967 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.622744083 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.622781992 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.622822046 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.622956991 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.622994900 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.623009920 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.632575989 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.632761955 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.632783890 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.632827044 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.633023977 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:17.633044958 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:17.638499975 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.144762993 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.144862890 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.144917011 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.145009041 CET | 49720 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.145020008 CET | 443 | 49720 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.148766041 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.148806095 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.148885965 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.149163961 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.149183035 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.604965925 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.605021000 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.607168913 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.607180119 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.607420921 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:19.608814955 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.608874083 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:19.608916998 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.005312920 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.005382061 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.005418062 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.005429029 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:20.005444050 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.005479097 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:20.005482912 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.005496025 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.005548954 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:20.005557060 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.006321907 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.006359100 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.006361961 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:20.006369114 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.006413937 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:20.006421089 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.006432056 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.006474972 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:20.006551981 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:20.006562948 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.006575108 CET | 49722 | 443 | 192.168.2.4 | 104.21.32.1 |
| Mar 17, 2025 08:20:20.006580114 CET | 443 | 49722 | 104.21.32.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:20.391674042 CET | 49678 | 443 | 192.168.2.4 | 20.189.173.27 |
| Mar 17, 2025 08:20:20.704461098 CET | 49678 | 443 | 192.168.2.4 | 20.189.173.27 |
| Mar 17, 2025 08:20:20.969551086 CET | 49671 | 443 | 192.168.2.4 | 204.79.197.203 |
| Mar 17, 2025 08:20:21.313133955 CET | 49678 | 443 | 192.168.2.4 | 20.189.173.27 |
| Mar 17, 2025 08:20:22.516268969 CET | 49678 | 443 | 192.168.2.4 | 20.189.173.27 |
| Mar 17, 2025 08:20:23.909570932 CET | 49681 | 80 | 192.168.2.4 | 2.17.190.73 |
| Mar 17, 2025 08:20:24.219425917 CET | 49681 | 80 | 192.168.2.4 | 2.17.190.73 |
| Mar 17, 2025 08:20:24.828775883 CET | 49681 | 80 | 192.168.2.4 | 2.17.190.73 |
| Mar 17, 2025 08:20:24.922522068 CET | 49678 | 443 | 192.168.2.4 | 20.189.173.27 |
| Mar 17, 2025 08:20:26.031989098 CET | 49681 | 80 | 192.168.2.4 | 2.17.190.73 |
| Mar 17, 2025 08:20:27.372817993 CET | 49727 | 80 | 192.168.2.4 | 142.250.186.67 |
| Mar 17, 2025 08:20:27.378122091 CET | 80 | 49727 | 142.250.186.67 | 192.168.2.4 |
| Mar 17, 2025 08:20:27.378201008 CET | 49727 | 80 | 192.168.2.4 | 142.250.186.67 |
| Mar 17, 2025 08:20:27.378354073 CET | 49727 | 80 | 192.168.2.4 | 142.250.186.67 |
| Mar 17, 2025 08:20:27.383635044 CET | 80 | 49727 | 142.250.186.67 | 192.168.2.4 |
| Mar 17, 2025 08:20:27.992652893 CET | 80 | 49727 | 142.250.186.67 | 192.168.2.4 |
| Mar 17, 2025 08:20:28.001986980 CET | 49727 | 80 | 192.168.2.4 | 142.250.186.67 |
| Mar 17, 2025 08:20:28.006669998 CET | 80 | 49727 | 142.250.186.67 | 192.168.2.4 |
| Mar 17, 2025 08:20:28.180813074 CET | 80 | 49727 | 142.250.186.67 | 192.168.2.4 |
| Mar 17, 2025 08:20:28.235043049 CET | 49727 | 80 | 192.168.2.4 | 142.250.186.67 |
| Mar 17, 2025 08:20:28.438169003 CET | 49681 | 80 | 192.168.2.4 | 2.17.190.73 |
| Mar 17, 2025 08:20:29.735189915 CET | 49678 | 443 | 192.168.2.4 | 20.189.173.27 |
| Mar 17, 2025 08:20:30.578834057 CET | 49671 | 443 | 192.168.2.4 | 204.79.197.203 |
| Mar 17, 2025 08:20:33.250811100 CET | 49681 | 80 | 192.168.2.4 | 2.17.190.73 |
| Mar 17, 2025 08:20:39.344526052 CET | 49678 | 443 | 192.168.2.4 | 20.189.173.27 |
| Mar 17, 2025 08:20:42.860141993 CET | 49681 | 80 | 192.168.2.4 | 2.17.190.73 |
| Mar 17, 2025 08:20:56.791107893 CET | 80 | 49710 | 217.20.57.19 | 192.168.2.4 |
| Mar 17, 2025 08:20:56.791241884 CET | 49710 | 80 | 192.168.2.4 | 217.20.57.19 |
| Mar 17, 2025 08:21:29.188662052 CET | 49727 | 80 | 192.168.2.4 | 142.250.186.67 |
| Mar 17, 2025 08:21:29.195442915 CET | 80 | 49727 | 142.250.186.67 | 192.168.2.4 |
| Mar 17, 2025 08:21:29.195514917 CET | 49727 | 80 | 192.168.2.4 | 142.250.186.67 |
| Mar 17, 2025 08:21:58.921596050 CET | 443 | 49709 | 131.253.33.254 | 192.168.2.4 |
| Mar 17, 2025 08:21:58.921680927 CET | 49709 | 443 | 192.168.2.4 | 131.253.33.254 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 17, 2025 08:20:10.402342081 CET | 65200 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 17, 2025 08:20:10.408970118 CET | 53 | 65200 | 1.1.1.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:11.469361067 CET | 62468 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 17, 2025 08:20:11.481318951 CET | 53 | 62468 | 1.1.1.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:27.363631010 CET | 50241 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 17, 2025 08:20:27.370429993 CET | 53 | 50241 | 1.1.1.1 | 192.168.2.4 |
| Mar 17, 2025 08:20:40.236231089 CET | 63855 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 17, 2025 08:20:40.242855072 CET | 53 | 63855 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 17, 2025 08:20:10.402342081 CET | 192.168.2.4 | 1.1.1.1 | 0x6ae1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2025 08:20:11.469361067 CET | 192.168.2.4 | 1.1.1.1 | 0xddb9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2025 08:20:27.363631010 CET | 192.168.2.4 | 1.1.1.1 | 0x668a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2025 08:20:40.236231089 CET | 192.168.2.4 | 1.1.1.1 | 0xa88 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 17, 2025 08:20:10.408970118 CET | 1.1.1.1 | 192.168.2.4 | 0x6ae1 | No error (0) | 149.154.167.99 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:11.481318951 CET | 1.1.1.1 | 192.168.2.4 | 0xddb9 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:11.481318951 CET | 1.1.1.1 | 192.168.2.4 | 0xddb9 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:11.481318951 CET | 1.1.1.1 | 192.168.2.4 | 0xddb9 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:11.481318951 CET | 1.1.1.1 | 192.168.2.4 | 0xddb9 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:11.481318951 CET | 1.1.1.1 | 192.168.2.4 | 0xddb9 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:11.481318951 CET | 1.1.1.1 | 192.168.2.4 | 0xddb9 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:11.481318951 CET | 1.1.1.1 | 192.168.2.4 | 0xddb9 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:26.867141962 CET | 1.1.1.1 | 192.168.2.4 | 0xef02 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:26.867141962 CET | 1.1.1.1 | 192.168.2.4 | 0xef02 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:27.370429993 CET | 1.1.1.1 | 192.168.2.4 | 0x668a | No error (0) | pki-goog.l.google.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:27.370429993 CET | 1.1.1.1 | 192.168.2.4 | 0x668a | No error (0) | 142.250.186.67 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:40.242855072 CET | 1.1.1.1 | 192.168.2.4 | 0xa88 | No error (0) | pki-goog.l.google.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Mar 17, 2025 08:20:40.242855072 CET | 1.1.1.1 | 192.168.2.4 | 0xa88 | No error (0) | 142.250.185.227 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 0 | 192.168.2.4 | 49727 | 142.250.186.67 | 80 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 17, 2025 08:20:27.378354073 CET | 202 | OUT | |
| Mar 17, 2025 08:20:27.992652893 CET | 222 | IN | |
| Mar 17, 2025 08:20:28.001986980 CET | 200 | OUT | |
| Mar 17, 2025 08:20:28.180813074 CET | 222 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49711 | 149.154.167.99 | 443 | 7892 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 07:20:11 UTC | 64 | OUT | |
| 2025-03-17 07:20:11 UTC | 512 | IN | |
| 2025-03-17 07:20:11 UTC | 12373 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49712 | 104.21.32.1 | 443 | 7892 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 07:20:11 UTC | 266 | OUT | |
| 2025-03-17 07:20:11 UTC | 65 | OUT | |
| 2025-03-17 07:20:12 UTC | 788 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN | |
| 2025-03-17 07:20:12 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49713 | 104.21.32.1 | 443 | 7892 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 07:20:13 UTC | 276 | OUT | |
| 2025-03-17 07:20:13 UTC | 15331 | OUT | |
| 2025-03-17 07:20:13 UTC | 4264 | OUT | |
| 2025-03-17 07:20:13 UTC | 272 | IN | |
| 2025-03-17 07:20:13 UTC | 74 | IN | |
| 2025-03-17 07:20:13 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49714 | 104.21.32.1 | 443 | 7892 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 07:20:14 UTC | 276 | OUT | |
| 2025-03-17 07:20:14 UTC | 8757 | OUT | |
| 2025-03-17 07:20:14 UTC | 818 | IN | |
| 2025-03-17 07:20:14 UTC | 74 | IN | |
| 2025-03-17 07:20:14 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49717 | 104.21.32.1 | 443 | 7892 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 07:20:15 UTC | 280 | OUT | |
| 2025-03-17 07:20:15 UTC | 15331 | OUT | |
| 2025-03-17 07:20:15 UTC | 5094 | OUT | |
| 2025-03-17 07:20:15 UTC | 818 | IN | |
| 2025-03-17 07:20:15 UTC | 74 | IN | |
| 2025-03-17 07:20:15 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49718 | 104.21.32.1 | 443 | 7892 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 07:20:16 UTC | 282 | OUT | |
| 2025-03-17 07:20:16 UTC | 2685 | OUT | |
| 2025-03-17 07:20:16 UTC | 814 | IN | |
| 2025-03-17 07:20:16 UTC | 74 | IN | |
| 2025-03-17 07:20:16 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49720 | 104.21.32.1 | 443 | 7892 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 07:20:17 UTC | 280 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:17 UTC | 15331 | OUT | |
| 2025-03-17 07:20:19 UTC | 822 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49722 | 104.21.32.1 | 443 | 7892 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 07:20:19 UTC | 267 | OUT | |
| 2025-03-17 07:20:19 UTC | 103 | OUT | |
| 2025-03-17 07:20:20 UTC | 785 | IN | |
| 2025-03-17 07:20:20 UTC | 584 | IN | |
| 2025-03-17 07:20:20 UTC | 1369 | IN | |
| 2025-03-17 07:20:20 UTC | 1369 | IN | |
| 2025-03-17 07:20:20 UTC | 1369 | IN | |
| 2025-03-17 07:20:20 UTC | 1369 | IN | |
| 2025-03-17 07:20:20 UTC | 1369 | IN | |
| 2025-03-17 07:20:20 UTC | 1369 | IN | |
| 2025-03-17 07:20:20 UTC | 1369 | IN | |
| 2025-03-17 07:20:20 UTC | 343 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 03:20:09 |
| Start date: | 17/03/2025 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.7894.13424.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff748ae0000 |
| File size: | 588'288 bytes |
| MD5 hash: | B18D980CFDCE9F0758CDC8DB9E7F6BF4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 03:20:09 |
| Start date: | 17/03/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62fc20000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 03:20:09 |
| Start date: | 17/03/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa30000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |