Edit tour
Windows
Analysis Report
SoftWare(1).exe
Overview
General Information
| Sample name: | SoftWare(1).exe |
| Analysis ID: | 1663607 |
| MD5: | 34eb7041ba6efd18c92455835185719a |
| SHA1: | 61581d4c73c8395fdb6968d36e6360cf65b8ab40 |
| SHA256: | e43dd6e0b653aed2ed73a33c71cbb03a9b56b5ae4c53a0f1e73d9d78d5569aa5 |
| Tags: | exeLummaStealeruser-aachum |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SoftWare(1).exe (PID: 6340 cmdline: "C:\Users\ user\Deskt op\SoftWar e(1).exe" MD5: 34EB7041BA6EFD18C92455835185719A) 
MSBuild.exe (PID: 6604 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) 
MpCmdRun.exe (PID: 1196 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: B3676839B2EE96983F9ED735CD044159) 
conhost.exe (PID: 4328 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
{"C2 url": ["clarmodq.top/qoxo", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "owlflright.digital/qopy"], "Build id": "b9abc76ce53b6fc3a03566f8f764f5ea"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Kiran kumar s, oscd.community: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-12T01:47:14.735982+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49682 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:16.176118+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49683 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:17.317361+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49684 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:18.332446+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49685 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:20.264180+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49686 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:21.124173+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49687 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:21.938714+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49688 | 104.21.85.126 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-12T01:47:14.735982+0200 | 2061392 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 49682 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:16.176118+0200 | 2061392 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 49683 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:17.317361+0200 | 2061392 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 49684 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:18.332446+0200 | 2061392 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 49685 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:20.264180+0200 | 2061392 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 49686 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:21.124173+0200 | 2061392 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 49687 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:21.938714+0200 | 2061392 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 49688 | 104.21.85.126 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-12T01:47:14.271352+0200 | 2061391 | 1 | Domain Observed Used for C2 Detected | 192.168.2.8 | 51897 | 1.1.1.1 | 53 | UDP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_0041D666 | |
| Source: | Code function: | 2_2_0041DA0A | |
| Source: | Code function: | 2_2_0041CB15 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_0044D0E0 | |
| Source: | Code function: | 2_2_0041C1D1 | |
| Source: | Code function: | 2_2_0041C1D1 | |
| Source: | Code function: | 2_2_004192A0 | |
| Source: | Code function: | 2_2_004192A0 | |
| Source: | Code function: | 2_2_004192A0 | |
| Source: | Code function: | 2_2_004192A0 | |
| Source: | Code function: | 2_2_0044C3E0 | |
| Source: | Code function: | 2_2_0044C4F0 | |
| Source: | Code function: | 2_2_004277F0 | |
| Source: | Code function: | 2_2_00434840 | |
| Source: | Code function: | 2_2_0044D840 | |
| Source: | Code function: | 2_2_0042A855 | |
| Source: | Code function: | 2_2_0041F8C0 | |
| Source: | Code function: | 2_2_0041F8C0 | |
| Source: | Code function: | 2_2_0041F8C0 | |
| Source: | Code function: | 2_2_00448B21 | |
| Source: | Code function: | 2_2_00448B21 | |
| Source: | Code function: | 2_2_0042DC10 | |
| Source: | Code function: | 2_2_00448E6F | |
| Source: | Code function: | 2_2_00448E6F | |
| Source: | Code function: | 2_2_00441F70 | |
| Source: | Code function: | 2_2_00441F70 | |
| Source: | Code function: | 2_2_00441F70 | |
| Source: | Code function: | 2_2_00402060 | |
| Source: | Code function: | 2_2_0043F000 | |
| Source: | Code function: | 2_2_00434150 | |
| Source: | Code function: | 2_2_00447170 | |
| Source: | Code function: | 2_2_00447170 | |
| Source: | Code function: | 2_2_004351CB | |
| Source: | Code function: | 2_2_0040B1D0 | |
| Source: | Code function: | 2_2_00412250 | |
| Source: | Code function: | 2_2_0042D2D0 | |
| Source: | Code function: | 2_2_0040C290 | |
| Source: | Code function: | 2_2_0044934E | |
| Source: | Code function: | 2_2_00432330 | |
| Source: | Code function: | 2_2_0043533D | |
| Source: | Code function: | 2_2_0042E3CF | |
| Source: | Code function: | 2_2_0041E39C | |
| Source: | Code function: | 2_2_004023B0 | |
| Source: | Code function: | 2_2_004254C0 | |
| Source: | Code function: | 2_2_0041E4E9 | |
| Source: | Code function: | 2_2_004364A8 | |
| Source: | Code function: | 2_2_00410553 | |
| Source: | Code function: | 2_2_0044B558 | |
| Source: | Code function: | 2_2_004225D0 | |
| Source: | Code function: | 2_2_004225D0 | |
| Source: | Code function: | 2_2_0042E652 | |
| Source: | Code function: | 2_2_00435635 | |
| Source: | Code function: | 2_2_004086A0 | |
| Source: | Code function: | 2_2_0042D730 | |
| Source: | Code function: | 2_2_0040C9F0 | |
| Source: | Code function: | 2_2_0040C9F0 | |
| Source: | Code function: | 2_2_00431A6C | |
| Source: | Code function: | 2_2_00436A7B | |
| Source: | Code function: | 2_2_00412AE4 | |
| Source: | Code function: | 2_2_00436A81 | |
| Source: | Code function: | 2_2_00412B46 | |
| Source: | Code function: | 2_2_00421B51 | |
| Source: | Code function: | 2_2_00421B51 | |
| Source: | Code function: | 2_2_00426B20 | |
| Source: | Code function: | 2_2_00401C60 | |
| Source: | Code function: | 2_2_00448C74 | |
| Source: | Code function: | 2_2_00434CA7 | |
| Source: | Code function: | 2_2_00448D42 | |
| Source: | Code function: | 2_2_0044CD10 | |
| Source: | Code function: | 2_2_00431D80 | |
| Source: | Code function: | 2_2_0042CE40 | |
| Source: | Code function: | 2_2_00435E47 | |
| Source: | Code function: | 2_2_00445E70 | |
| Source: | Code function: | 2_2_0042BE39 | |
| Source: | Code function: | 2_2_00443EFB | |
| Source: | Code function: | 2_2_00420E90 | |
| Source: | Code function: | 2_2_00448F42 | |
| Source: | Code function: | 2_2_0042BF6D | |
| Source: | Code function: | 2_2_0041BF1F | |
| Source: | Code function: | 2_2_0040BFB0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_0043D320 | |
| Source: | Code function: | 2_2_0043D320 | |
| Source: | Code function: | 2_2_0043D510 | |
| Source: | Code function: | 0_2_00007FF6AF1F3000 | |
| Source: | Code function: | 0_2_00007FF6AF1D55C0 | |
| Source: | Code function: | 0_2_00007FF6AF1EF460 | |
| Source: | Code function: | 0_2_00007FF6AF1FA860 | |
| Source: | Code function: | 0_2_00007FF6AF1F8CB0 | |
| Source: | Code function: | 0_2_00007FF6AF1D50B0 | |
| Source: | Code function: | 0_2_00007FF6AF280C94 | |
| Source: | Code function: | 0_2_00007FF6AF1EC890 | |
| Source: | Code function: | 0_2_00007FF6AF1F08E0 | |
| Source: | Code function: | 0_2_00007FF6AF1EA8E0 | |
| Source: | Code function: | 0_2_00007FF6AF1F84E0 | |
| Source: | Code function: | 0_2_00007FF6AF26C4F0 | |
| Source: | Code function: | 0_2_00007FF6AF1E60F0 | |
| Source: | Code function: | 0_2_00007FF6AF1EF8C0 | |
| Source: | Code function: | 0_2_00007FF6AF20ACD0 | |
| Source: | Code function: | 0_2_00007FF6AF1FB8D0 | |
| Source: | Code function: | 0_2_00007FF6AF1F7D20 | |
| Source: | Code function: | 0_2_00007FF6AF1FD520 | |
| Source: | Code function: | 0_2_00007FF6AF1FBD20 | |
| Source: | Code function: | 0_2_00007FF6AF1F7100 | |
| Source: | Code function: | 0_2_00007FF6AF204500 | |
| Source: | Code function: | 0_2_00007FF6AF1FAD10 | |
| Source: | Code function: | 0_2_00007FF6AF1F1340 | |
| Source: | Code function: | 0_2_00007FF6AF208F40 | |
| Source: | Code function: | 0_2_00007FF6AF26D798 | |
| Source: | Code function: | 0_2_00007FF6AF1ECB80 | |
| Source: | Code function: | 0_2_00007FF6AF1FCB80 | |
| Source: | Code function: | 0_2_00007FF6AF1EE790 | |
| Source: | Code function: | 0_2_00007FF6AF1F67D0 | |
| Source: | Code function: | 0_2_00007FF6AF1F4FD0 | |
| Source: | Code function: | 0_2_00007FF6AF23CFC0 | |
| Source: | Code function: | 0_2_00007FF6AF20C7C0 | |
| Source: | Code function: | 0_2_00007FF6AF27A01C | |
| Source: | Code function: | 0_2_00007FF6AF1EE02F | |
| Source: | Code function: | 0_2_00007FF6AF27280C | |
| Source: | Code function: | 0_2_00007FF6AF1FE800 | |
| Source: | Code function: | 0_2_00007FF6AF20C270 | |
| Source: | Code function: | 0_2_00007FF6AF1E666E | |
| Source: | Code function: | 0_2_00007FF6AF203A70 | |
| Source: | Code function: | 0_2_00007FF6AF283E60 | |
| Source: | Code function: | 0_2_00007FF6AF200640 | |
| Source: | Code function: | 0_2_00007FF6AF209A50 | |
| Source: | Code function: | 0_2_00007FF6AF1F36A0 | |
| Source: | Code function: | 0_2_00007FF6AF204AB0 | |
| Source: | Code function: | 0_2_00007FF6AF1D32B0 | |
| Source: | Code function: | 0_2_00007FF6AF26CAA0 | |
| Source: | Code function: | 0_2_00007FF6AF209690 | |
| Source: | Code function: | 0_2_00007FF6AF1EC290 | |
| Source: | Code function: | 0_2_00007FF6AF20A6E0 | |
| Source: | Code function: | 0_2_00007FF6AF1F6AD0 | |
| Source: | Code function: | 0_2_00007FF6AF2076D0 | |
| Source: | Code function: | 0_2_00007FF6AF208AC0 | |
| Source: | Code function: | 0_2_00007FF6AF2702C0 | |
| Source: | Code function: | 0_2_00007FF6AF26E728 | |
| Source: | Code function: | 0_2_00007FF6AF20EB30 | |
| Source: | Code function: | 0_2_00007FF6AF272F10 | |
| Source: | Code function: | 0_2_00007FF6AF27A6FC | |
| Source: | Code function: | 0_2_00007FF6AF1FAB10 | |
| Source: | Code function: | 0_2_00007FF6AF27A304 | |
| Source: | Code function: | 0_2_00007FF6AF1F9970 | |
| Source: | Code function: | 0_2_00007FF6AF1EB940 | |
| Source: | Code function: | 0_2_00007FF6AF210550 | |
| Source: | Code function: | 0_2_00007FF6AF1F8950 | |
| Source: | Code function: | 0_2_00007FF6AF207950 | |
| Source: | Code function: | 0_2_00007FF6AF1EA5A0 | |
| Source: | Code function: | 0_2_00007FF6AF26D99C | |
| Source: | Code function: | 0_2_00007FF6AF1ED1B0 | |
| Source: | Code function: | 0_2_00007FF6AF26D594 | |
| Source: | Code function: | 0_2_00007FF6AF1EAD90 | |
| Source: | Code function: | 0_2_00007FF6AF204190 | |
| Source: | Code function: | 0_2_00007FF6AF1EFDE0 | |
| Source: | Code function: | 0_2_00007FF6AF1FD1F0 | |
| Source: | Code function: | 0_2_00007FF6AF1FCDF0 | |
| Source: | Code function: | 0_2_00007FF6AF1ED9C0 | |
| Source: | Code function: | 0_2_00007FF6AF1F51C0 | |
| Source: | Code function: | 0_2_00007FF6AF1F4230 | |
| Source: | Code function: | 0_2_00007FF6AF211220 | |
| Source: | Code function: | 2_2_00414037 | |
| Source: | Code function: | 2_2_0044D0E0 | |
| Source: | Code function: | 2_2_00426250 | |
| Source: | Code function: | 2_2_004192A0 | |
| Source: | Code function: | 2_2_004153B6 | |
| Source: | Code function: | 2_2_00434429 | |
| Source: | Code function: | 2_2_0044C4F0 | |
| Source: | Code function: | 2_2_0040B680 | |
| Source: | Code function: | 2_2_00434840 | |
| Source: | Code function: | 2_2_0041F8C0 | |
| Source: | Code function: | 2_2_00445880 | |
| Source: | Code function: | 2_2_0040D9F0 | |
| Source: | Code function: | 2_2_00448B21 | |
| Source: | Code function: | 2_2_00412BE8 | |
| Source: | Code function: | 2_2_00441B80 | |
| Source: | Code function: | 2_2_0042DC10 | |
| Source: | Code function: | 2_2_00422DD0 | |
| Source: | Code function: | 2_2_00448E6F | |
| Source: | Code function: | 2_2_00410E87 | |
| Source: | Code function: | 2_2_00441F70 | |
| Source: | Code function: | 2_2_0043D050 | |
| Source: | Code function: | 2_2_0041F07B | |
| Source: | Code function: | 2_2_004030D0 | |
| Source: | Code function: | 2_2_004160FC | |
| Source: | Code function: | 2_2_00409170 | |
| Source: | Code function: | 2_2_00447170 | |
| Source: | Code function: | 2_2_0043A1C1 | |
| Source: | Code function: | 2_2_004271C0 | |
| Source: | Code function: | 2_2_00441210 | |
| Source: | Code function: | 2_2_0040B220 | |
| Source: | Code function: | 2_2_0042D28B | |
| Source: | Code function: | 2_2_0040C290 | |
| Source: | Code function: | 2_2_0043D320 | |
| Source: | Code function: | 2_2_00404382 | |
| Source: | Code function: | 2_2_004023B0 | |
| Source: | Code function: | 2_2_0044A3B0 | |
| Source: | Code function: | 2_2_004433B0 | |
| Source: | Code function: | 2_2_004383BB | |
| Source: | Code function: | 2_2_00441470 | |
| Source: | Code function: | 2_2_0041B43B | |
| Source: | Code function: | 2_2_004254C0 | |
| Source: | Code function: | 2_2_004214C6 | |
| Source: | Code function: | 2_2_0042F5AF | |
| Source: | Code function: | 2_2_004405BF | |
| Source: | Code function: | 2_2_00416630 | |
| Source: | Code function: | 2_2_004086A0 | |
| Source: | Code function: | 2_2_0043076C | |
| Source: | Code function: | 2_2_00413710 | |
| Source: | Code function: | 2_2_0042473A | |
| Source: | Code function: | 2_2_004147F9 | |
| Source: | Code function: | 2_2_00423840 | |
| Source: | Code function: | 2_2_0041E876 | |
| Source: | Code function: | 2_2_0041080E | |
| Source: | Code function: | 2_2_0040A950 | |
| Source: | Code function: | 2_2_0044C950 | |
| Source: | Code function: | 2_2_0044A910 | |
| Source: | Code function: | 2_2_0043A930 | |
| Source: | Code function: | 2_2_0040C9F0 | |
| Source: | Code function: | 2_2_00407990 | |
| Source: | Code function: | 2_2_00433A60 | |
| Source: | Code function: | 2_2_00403A70 | |
| Source: | Code function: | 2_2_00446A00 | |
| Source: | Code function: | 2_2_00449A01 | |
| Source: | Code function: | 2_2_00435A0A | |
| Source: | Code function: | 2_2_00415AD0 | |
| Source: | Code function: | 2_2_0040FA90 | |
| Source: | Code function: | 2_2_00426B20 | |
| Source: | Code function: | 2_2_00408BC0 | |
| Source: | Code function: | 2_2_0043ABE0 | |
| Source: | Code function: | 2_2_0043CB90 | |
| Source: | Code function: | 2_2_00406B96 | |
| Source: | Code function: | 2_2_00423C90 | |
| Source: | Code function: | 2_2_00434CA7 | |
| Source: | Code function: | 2_2_0044CD10 | |
| Source: | Code function: | 2_2_00447DA0 | |
| Source: | Code function: | 2_2_0042CE40 | |
| Source: | Code function: | 2_2_00442E40 | |
| Source: | Code function: | 2_2_00445E70 | |
| Source: | Code function: | 2_2_00429E87 | |
| Source: | Code function: | 2_2_00448F42 | |
| Source: | Code function: | 2_2_0044AF70 | |
| Source: | Code function: | 2_2_00412F78 | |
| Source: | Code function: | 2_2_0042FFA3 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_00441F70 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6AF1E7062 | |
| Source: | Code function: | 0_2_00007FF6AF1E8C63 | |
| Source: | Code function: | 0_2_00007FF6AF1F180F | |
| Source: | Code function: | 0_2_00007FF6AF1E9C97 | |
| Source: | Code function: | 0_2_00007FF6AF1F18F5 | |
| Source: | Code function: | 0_2_00007FF6AF1E84C6 | |
| Source: | Code function: | 0_2_00007FF6AF1D3CD8 | |
| Source: | Code function: | 0_2_00007FF6AF1E7CD0 | |
| Source: | Code function: | 0_2_00007FF6AF1E7D36 | |
| Source: | Code function: | 0_2_00007FF6AF1E776E | |
| Source: | Code function: | 0_2_00007FF6AF1F17B4 | |
| Source: | Code function: | 0_2_00007FF6AF1D37B9 | |
| Source: | Code function: | 0_2_00007FF6AF1E7395 | |
| Source: | Code function: | 0_2_00007FF6AF1F17F2 | |
| Source: | Code function: | 0_2_00007FF6AF1E7422 | |
| Source: | Code function: | 0_2_00007FF6AF1E8438 | |
| Source: | Code function: | 0_2_00007FF6AF1F1831 | |
| Source: | Code function: | 0_2_00007FF6AF1F180F | |
| Source: | Code function: | 0_2_00007FF6AF1F1A43 | |
| Source: | Code function: | 0_2_00007FF6AF1E763E | |
| Source: | Code function: | 0_2_00007FF6AF1E8AA8 | |
| Source: | Code function: | 0_2_00007FF6AF1D3EAE | |
| Source: | Code function: | 0_2_00007FF6AF1F1AFE | |
| Source: | Code function: | 0_2_00007FF6AF1E82EB | |
| Source: | Code function: | 0_2_00007FF6AF1F1AEC | |
| Source: | Code function: | 0_2_00007FF6AF1E6AC2 | |
| Source: | Code function: | 0_2_00007FF6AF1E8EC1 | |
| Source: | Code function: | 0_2_00007FF6AF1E96D4 | |
| Source: | Code function: | 0_2_00007FF6AF1D371D | |
| Source: | Code function: | 0_2_00007FF6AF1E7EFE | |
| Source: | Code function: | 0_2_00007FF6AF1E99A6 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00448800 | |
| Source: | Code function: | 0_2_00007FF6AF270E14 | |
| Source: | Code function: | 0_2_00007FF6AF269384 | |
| Source: | Code function: | 0_2_00007FF6AF270E14 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6AF27D4F0 | |
| Source: | Code function: | 0_2_00007FF6AF27D808 | |
| Source: | Code function: | 0_2_00007FF6AF277A88 | |
| Source: | Code function: | 0_2_00007FF6AF27DA90 | |
| Source: | Code function: | 0_2_00007FF6AF27D1F0 | |
| Source: | Code function: | 0_2_00007FF6AF278200 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6AF269EF8 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 221 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 31 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 4 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 32% | Virustotal | Browse | ||
| 28% | ReversingLabs | Win64.Malware.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| clarmodq.top | 104.21.85.126 | true | false | high | |
| edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | 217.20.48.23 | true | false | high | |
| pki-goog.l.google.com | 74.125.21.94 | true | false | high | |
| c.pki.goog | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown | |
| false | high | ||
| true |
| unknown | |
| true |
| unknown | |
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.85.126 | clarmodq.top | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1663607 |
| Start date and time: | 2025-04-12 01:46:13 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 59s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 13 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SoftWare(1).exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@5/1@3/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 4.245.163.56, 217.20.48.23, 13.95.31.18, 20.242.39.171, 23.76.34.6
- Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 19:47:14 | API Interceptor | |
| 19:48:51 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.85.126 | Get hash | malicious | Amadey, LummaC Stealer | Browse | ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, CryptOne, LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, AsyncRAT, CryptOne, DarkTortilla, LummaC Stealer, SmokeLoader | Browse | |||
| Get hash | malicious | LummaC Stealer, Xmrig | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Metasploit | Browse |
| ||
| clarmodq.top | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, CryptOne, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| pki-goog.l.google.com | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
| Get hash | malicious | Latrodectus | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Captcha Phish | Browse |
| ||
| Get hash | malicious | Captcha Phish | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
⊘No context
| Process: | C:\Program Files\Windows Defender\MpCmdRun.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 2464 |
| Entropy (8bit): | 3.2484645093538975 |
| Encrypted: | false |
| SSDEEP: | 24:QOaqdmuF3r+2+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxr:FaqdF7B+AAHdKoqKFxcxkFP2P |
| MD5: | E697877C805CABFB46209C246DBB5E94 |
| SHA1: | D9C818F67C8CF3EA8275B29D3E4F2D07F496F9FB |
| SHA-256: | DFD5703DF0F6107FF92B378C003FEEFD5AE303DD299AED58EE6C6F45F08E4161 |
| SHA-512: | F4ED9019ED2A0306EE3A1AF13C199FDC3069E1F8DDD76C4FCD00A55C92A2F1FCFB89AE38DE98D7DE81F59E15DC200A39C9C7A310B0A814B8E49E51F4F6FFD709 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.620515411278492 |
| TrID: |
|
| File name: | SoftWare(1).exe |
| File size: | 1'582'080 bytes |
| MD5: | 34eb7041ba6efd18c92455835185719a |
| SHA1: | 61581d4c73c8395fdb6968d36e6360cf65b8ab40 |
| SHA256: | e43dd6e0b653aed2ed73a33c71cbb03a9b56b5ae4c53a0f1e73d9d78d5569aa5 |
| SHA512: | 9aea46b5fe6735494fd3f50decdc3ab55004ebaf7acbe4ef16677bdc75be768fddba96f9c16d1e957a00bfc0e5085bc79eac51b4cb823777e39b855b1f6a1fdd |
| SSDEEP: | 24576:rFtBhmrPJpYSHCLuc/NQXzwX6pYPq50IuyXzwX6pYPq50Iu:xfo6NfXMYPqaXMYPq |
| TLSH: | 8C75D02A519192DAF5D544B37A89A290B023F673873D1FEF80F4E3252547EE40B3E71A |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...gA.g.........."......|.....................@....................................G.....`........................................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x14009a188 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67F94167 [Fri Apr 11 16:20:55 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | a898adc0428740dd4fad8431feafaf7a |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F7B7C7E05D0h |
| dec eax |
| add esp, 28h |
| jmp 00007F7B7C7E043Fh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+18h], ebx |
| push ebp |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 30h |
| dec eax |
| mov eax, dword ptr [000310D0h] |
| dec eax |
| mov ebx, 2DDFA232h |
| cdq |
| sub eax, dword ptr [eax] |
| add byte ptr [eax+3Bh], cl |
| ret |
| jne 00007F7B7C7E0636h |
| dec eax |
| and dword ptr [ebp+10h], 00000000h |
| dec eax |
| lea ecx, dword ptr [ebp+10h] |
| call dword ptr [0002C042h] |
| dec eax |
| mov eax, dword ptr [ebp+10h] |
| dec eax |
| mov dword ptr [ebp-10h], eax |
| call dword ptr [0002BFACh] |
| mov eax, eax |
| dec eax |
| xor dword ptr [ebp-10h], eax |
| call dword ptr [0002BF98h] |
| mov eax, eax |
| dec eax |
| lea ecx, dword ptr [ebp+18h] |
| dec eax |
| xor dword ptr [ebp-10h], eax |
| call dword ptr [0002C0B8h] |
| mov eax, dword ptr [ebp+18h] |
| dec eax |
| lea ecx, dword ptr [ebp-10h] |
| dec eax |
| shl eax, 20h |
| dec eax |
| xor eax, dword ptr [ebp+18h] |
| dec eax |
| xor eax, dword ptr [ebp-10h] |
| dec eax |
| xor eax, ecx |
| dec eax |
| mov ecx, FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc5d50 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x18c000 | 0x7cb | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xd0000 | 0x31ec | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xdd000 | 0xaa0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xc16c0 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xbb200 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xc6090 | 0x318 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xb7a2e | 0xb7c00 | 95b7b1836694c92f6874e40f5216f1fb | False | 0.514859693877551 | data | 7.049880263957565 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xb9000 | 0x101cc | 0x10200 | 9461490fcd9fdc1d1fb916349bae1ce3 | False | 0.4074309593023256 | OpenPGP Secret Key Version 6 | 4.8837328659943715 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xca000 | 0x5ad8 | 0x2400 | eeed9b9b3929e95e2f9accf23ca9bb80 | False | 0.1616753472222222 | data | 3.921203399253688 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0xd0000 | 0x31ec | 0x3200 | 6cbba02ee6fcebeda3c818e974065395 | False | 0.50171875 | data | 5.792295577943378 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .B5 | 0xd4000 | 0x3229 | 0x3400 | 75cda5ec0badb9868a9b1af833ca345b | False | 0.5454477163461539 | data | 6.940675920308152 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .gxfg | 0xd8000 | 0x1c70 | 0x1e00 | e1645edf2fc209056c11ba2648aac183 | False | 0.41692708333333334 | data | 4.978526138512825 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .retplne | 0xda000 | 0x8c | 0x200 | 8c950f651287cbc1296bcb4e8cd7e990 | False | 0.126953125 | data | 1.050583247971927 | |
| .tls | 0xdb000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| _RDATA | 0xdc000 | 0x1f4 | 0x200 | 4c3192380a3877e08356b066c9690811 | False | 0.541015625 | data | 4.232091808468937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xdd000 | 0xaa0 | 0xc00 | c0d3f84af9e48e1df863556f22715610 | False | 0.4775390625 | data | 5.201784219915228 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .jss | 0xde000 | 0x56e00 | 0x56e00 | e12d198336ff2e17dd3eeaea7324adb6 | False | 1.0003259892086331 | data | 7.999498177166648 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .jss | 0x135000 | 0x56e00 | 0x56e00 | e12d198336ff2e17dd3eeaea7324adb6 | False | 1.0003259892086331 | data | 7.999498177166648 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x18c000 | 0x7cb | 0x800 | f635ea042fd2036c44cd7e7f38cfd43e | False | 0.4345703125 | data | 4.563754337342242 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x18c0a0 | 0x364 | data | English | United States | 0.4608294930875576 |
| RT_MANIFEST | 0x18c404 | 0x3c7 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.46328852119958636 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CreateFileA, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| Description | Data |
|---|---|
| CompanyName | Microsoft Corporation |
| FileDescription | Microsoft HTML Help Executable |
| FileVersion | 10.0.19041.1 (WinBuild.160101.0800) |
| InternalName | HH 1.41 |
| LegalCopyright | Microsoft Corporation. All rights reserved. |
| OriginalFilename | HH.exe |
| ProductName | HTML Help |
| ProductVersion | 10.0.19041.1 |
| Translation | 0x0409 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-12T01:47:14.271352+0200 | 2061391 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clarmodq .top) | 1 | 192.168.2.8 | 51897 | 1.1.1.1 | 53 | UDP |
| 2025-04-12T01:47:14.735982+0200 | 2061392 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) | 1 | 192.168.2.8 | 49682 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:14.735982+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49682 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:16.176118+0200 | 2061392 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) | 1 | 192.168.2.8 | 49683 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:16.176118+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49683 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:17.317361+0200 | 2061392 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) | 1 | 192.168.2.8 | 49684 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:17.317361+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49684 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:18.332446+0200 | 2061392 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) | 1 | 192.168.2.8 | 49685 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:18.332446+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49685 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:20.264180+0200 | 2061392 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) | 1 | 192.168.2.8 | 49686 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:20.264180+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49686 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:21.124173+0200 | 2061392 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) | 1 | 192.168.2.8 | 49687 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:21.124173+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49687 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:21.938714+0200 | 2061392 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) | 1 | 192.168.2.8 | 49688 | 104.21.85.126 | 443 | TCP |
| 2025-04-12T01:47:21.938714+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.8 | 49688 | 104.21.85.126 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 12, 2025 01:47:02.943134069 CEST | 49675 | 443 | 192.168.2.8 | 2.23.227.215 |
| Apr 12, 2025 01:47:02.943150997 CEST | 49674 | 443 | 192.168.2.8 | 2.23.227.208 |
| Apr 12, 2025 01:47:02.943221092 CEST | 49676 | 443 | 192.168.2.8 | 2.23.227.215 |
| Apr 12, 2025 01:47:05.849332094 CEST | 49677 | 80 | 192.168.2.8 | 23.60.201.147 |
| Apr 12, 2025 01:47:05.849716902 CEST | 49672 | 443 | 192.168.2.8 | 2.19.104.63 |
| Apr 12, 2025 01:47:12.552499056 CEST | 49674 | 443 | 192.168.2.8 | 2.23.227.208 |
| Apr 12, 2025 01:47:12.552580118 CEST | 49675 | 443 | 192.168.2.8 | 2.23.227.215 |
| Apr 12, 2025 01:47:12.561037064 CEST | 49676 | 443 | 192.168.2.8 | 2.23.227.215 |
| Apr 12, 2025 01:47:14.471604109 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:14.471648932 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:14.471740007 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:14.475692987 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:14.475708961 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:14.735826015 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:14.735981941 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:14.740015030 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:14.740026951 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:14.740325928 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:14.786843061 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:14.788561106 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:14.788590908 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:14.788717985 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.319900036 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.319966078 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.319999933 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.320005894 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.320039034 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.320070028 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.320074081 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.320081949 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.320122957 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.320131063 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.320425987 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.320451021 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.320458889 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.320470095 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.320524931 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.320893049 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.364919901 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.364949942 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.411815882 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.440949917 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.441046000 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.441067934 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.441097021 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.441131115 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.441183090 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.441322088 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.441374063 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.441395998 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.441414118 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.441423893 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.441484928 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.442059994 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.442111015 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.442140102 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.442147970 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.442157984 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.442210913 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.442218065 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.442231894 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.442274094 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.445797920 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.445797920 CEST | 49682 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.445836067 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.445852041 CEST | 443 | 49682 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.458867073 CEST | 49672 | 443 | 192.168.2.8 | 2.19.104.63 |
| Apr 12, 2025 01:47:15.458878994 CEST | 49677 | 80 | 192.168.2.8 | 23.60.201.147 |
| Apr 12, 2025 01:47:15.920855999 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.920895100 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:15.921021938 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.921375990 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:15.921389103 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:16.175896883 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:16.176117897 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:16.177339077 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:16.177355051 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:16.177603960 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:16.178805113 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:16.178977966 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:16.179003954 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:16.783369064 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:16.783483982 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:16.783581018 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:16.783699036 CEST | 49683 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:16.783725023 CEST | 443 | 49683 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.056371927 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.056417942 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.056488037 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.056781054 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.056797028 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.317234039 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.317361116 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.318782091 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.318794012 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.319056988 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.320247889 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.320378065 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.320416927 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.320588112 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.364284992 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.952411890 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.952541113 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:17.952626944 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.952910900 CEST | 49684 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:17.952930927 CEST | 443 | 49684 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.079961061 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.080008030 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.080091953 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.080387115 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.080398083 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.332304955 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.332446098 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.333899975 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.333909988 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.334136009 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.335334063 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.335449934 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.335473061 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.335553885 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.335561991 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.966027975 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.966311932 CEST | 443 | 49685 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:18.966387033 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:18.967492104 CEST | 49685 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.005606890 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.005709887 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.005821943 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.006175995 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.006191969 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.264039040 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.264179945 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.265414000 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.265428066 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.265676975 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.266844034 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.266944885 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.266973972 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.826101065 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.826225996 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.826282024 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.826373100 CEST | 49686 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.826394081 CEST | 443 | 49686 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.868407965 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.868452072 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:20.868535995 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.868860960 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:20.868875027 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.124036074 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.124172926 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.125464916 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.125483990 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.125768900 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.126934052 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.127011061 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.127022982 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.707971096 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.708158970 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.708214045 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.708265066 CEST | 49687 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.708285093 CEST | 443 | 49687 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.713632107 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.713733912 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.713826895 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.714112043 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.714140892 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.938591957 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.938714027 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.939984083 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.939992905 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.940686941 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:21.941951990 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.941984892 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:21.942120075 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:22.494429111 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:22.494513988 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:22.494716883 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:22.494762897 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:22.494781017 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:22.494795084 CEST | 49688 | 443 | 192.168.2.8 | 104.21.85.126 |
| Apr 12, 2025 01:47:22.494801044 CEST | 443 | 49688 | 104.21.85.126 | 192.168.2.8 |
| Apr 12, 2025 01:47:23.796586990 CEST | 49673 | 443 | 192.168.2.8 | 2.23.227.215 |
| Apr 12, 2025 01:47:23.796659946 CEST | 443 | 49673 | 2.23.227.215 | 192.168.2.8 |
| Apr 12, 2025 01:47:24.738527060 CEST | 49691 | 80 | 192.168.2.8 | 74.125.21.94 |
| Apr 12, 2025 01:47:24.845120907 CEST | 80 | 49691 | 74.125.21.94 | 192.168.2.8 |
| Apr 12, 2025 01:47:24.845223904 CEST | 49691 | 80 | 192.168.2.8 | 74.125.21.94 |
| Apr 12, 2025 01:47:24.845411062 CEST | 49691 | 80 | 192.168.2.8 | 74.125.21.94 |
| Apr 12, 2025 01:47:24.951488972 CEST | 80 | 49691 | 74.125.21.94 | 192.168.2.8 |
| Apr 12, 2025 01:47:24.953716993 CEST | 80 | 49691 | 74.125.21.94 | 192.168.2.8 |
| Apr 12, 2025 01:47:24.953732967 CEST | 80 | 49691 | 74.125.21.94 | 192.168.2.8 |
| Apr 12, 2025 01:47:24.953794956 CEST | 49691 | 80 | 192.168.2.8 | 74.125.21.94 |
| Apr 12, 2025 01:47:24.960251093 CEST | 49691 | 80 | 192.168.2.8 | 74.125.21.94 |
| Apr 12, 2025 01:47:25.068111897 CEST | 80 | 49691 | 74.125.21.94 | 192.168.2.8 |
| Apr 12, 2025 01:47:25.114954948 CEST | 49691 | 80 | 192.168.2.8 | 74.125.21.94 |
| Apr 12, 2025 01:47:42.537326097 CEST | 49671 | 443 | 192.168.2.8 | 204.79.197.203 |
| Apr 12, 2025 01:47:42.849446058 CEST | 49671 | 443 | 192.168.2.8 | 204.79.197.203 |
| Apr 12, 2025 01:47:43.458753109 CEST | 49671 | 443 | 192.168.2.8 | 204.79.197.203 |
| Apr 12, 2025 01:47:44.661895037 CEST | 49671 | 443 | 192.168.2.8 | 204.79.197.203 |
| Apr 12, 2025 01:47:47.068172932 CEST | 49671 | 443 | 192.168.2.8 | 204.79.197.203 |
| Apr 12, 2025 01:47:50.731334925 CEST | 49678 | 443 | 192.168.2.8 | 20.42.65.90 |
| Apr 12, 2025 01:47:51.036900043 CEST | 49678 | 443 | 192.168.2.8 | 20.42.65.90 |
| Apr 12, 2025 01:47:51.646409035 CEST | 49678 | 443 | 192.168.2.8 | 20.42.65.90 |
| Apr 12, 2025 01:47:51.880650043 CEST | 49671 | 443 | 192.168.2.8 | 204.79.197.203 |
| Apr 12, 2025 01:47:52.849438906 CEST | 49678 | 443 | 192.168.2.8 | 20.42.65.90 |
| Apr 12, 2025 01:47:55.255690098 CEST | 49678 | 443 | 192.168.2.8 | 20.42.65.90 |
| Apr 12, 2025 01:48:00.068223953 CEST | 49678 | 443 | 192.168.2.8 | 20.42.65.90 |
| Apr 12, 2025 01:48:01.490097046 CEST | 49671 | 443 | 192.168.2.8 | 204.79.197.203 |
| Apr 12, 2025 01:48:09.677628994 CEST | 49678 | 443 | 192.168.2.8 | 20.42.65.90 |
| Apr 12, 2025 01:48:25.287297010 CEST | 49691 | 80 | 192.168.2.8 | 74.125.21.94 |
| Apr 12, 2025 01:48:25.393665075 CEST | 80 | 49691 | 74.125.21.94 | 192.168.2.8 |
| Apr 12, 2025 01:48:25.393734932 CEST | 49691 | 80 | 192.168.2.8 | 74.125.21.94 |
| Apr 12, 2025 01:48:31.044502020 CEST | 443 | 49681 | 13.107.246.41 | 192.168.2.8 |
| Apr 12, 2025 01:48:31.044532061 CEST | 443 | 49681 | 13.107.246.41 | 192.168.2.8 |
| Apr 12, 2025 01:48:31.044549942 CEST | 443 | 49681 | 13.107.246.41 | 192.168.2.8 |
| Apr 12, 2025 01:48:31.044610977 CEST | 49681 | 443 | 192.168.2.8 | 13.107.246.41 |
| Apr 12, 2025 01:48:31.049154997 CEST | 49681 | 443 | 192.168.2.8 | 13.107.246.41 |
| Apr 12, 2025 01:48:31.156385899 CEST | 443 | 49681 | 13.107.246.41 | 192.168.2.8 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 12, 2025 01:47:14.271352053 CEST | 51897 | 53 | 192.168.2.8 | 1.1.1.1 |
| Apr 12, 2025 01:47:14.465619087 CEST | 53 | 51897 | 1.1.1.1 | 192.168.2.8 |
| Apr 12, 2025 01:47:24.628315926 CEST | 49579 | 53 | 192.168.2.8 | 1.1.1.1 |
| Apr 12, 2025 01:47:24.735383034 CEST | 53 | 49579 | 1.1.1.1 | 192.168.2.8 |
| Apr 12, 2025 01:47:37.522512913 CEST | 54937 | 53 | 192.168.2.8 | 1.1.1.1 |
| Apr 12, 2025 01:47:37.630346060 CEST | 53 | 54937 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 12, 2025 01:47:14.271352053 CEST | 192.168.2.8 | 1.1.1.1 | 0x2c17 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 12, 2025 01:47:24.628315926 CEST | 192.168.2.8 | 1.1.1.1 | 0x3562 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 12, 2025 01:47:37.522512913 CEST | 192.168.2.8 | 1.1.1.1 | 0x1869 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 12, 2025 01:47:14.465619087 CEST | 1.1.1.1 | 192.168.2.8 | 0x2c17 | No error (0) | 104.21.85.126 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:14.465619087 CEST | 1.1.1.1 | 192.168.2.8 | 0x2c17 | No error (0) | 172.67.205.184 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.336236954 CEST | 1.1.1.1 | 192.168.2.8 | 0x2f6f | No error (0) | 217.20.48.23 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.336236954 CEST | 1.1.1.1 | 192.168.2.8 | 0x2f6f | No error (0) | 217.20.48.37 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.336236954 CEST | 1.1.1.1 | 192.168.2.8 | 0x2f6f | No error (0) | 217.20.55.18 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.336236954 CEST | 1.1.1.1 | 192.168.2.8 | 0x2f6f | No error (0) | 217.20.55.22 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.336236954 CEST | 1.1.1.1 | 192.168.2.8 | 0x2f6f | No error (0) | 217.20.48.18 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.336236954 CEST | 1.1.1.1 | 192.168.2.8 | 0x2f6f | No error (0) | 217.20.48.38 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.336236954 CEST | 1.1.1.1 | 192.168.2.8 | 0x2f6f | No error (0) | 217.20.55.34 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.336236954 CEST | 1.1.1.1 | 192.168.2.8 | 0x2f6f | No error (0) | 217.20.48.35 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.735383034 CEST | 1.1.1.1 | 192.168.2.8 | 0x3562 | No error (0) | pki-goog.l.google.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:24.735383034 CEST | 1.1.1.1 | 192.168.2.8 | 0x3562 | No error (0) | 74.125.21.94 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:37.630346060 CEST | 1.1.1.1 | 192.168.2.8 | 0x1869 | No error (0) | pki-goog.l.google.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 12, 2025 01:47:37.630346060 CEST | 1.1.1.1 | 192.168.2.8 | 0x1869 | No error (0) | 173.194.219.94 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 0 | 192.168.2.8 | 49691 | 74.125.21.94 | 80 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Apr 12, 2025 01:47:24.845411062 CEST | 202 | OUT | |
| Apr 12, 2025 01:47:24.953716993 CEST | 1358 | IN | |
| Apr 12, 2025 01:47:24.953732967 CEST | 1094 | IN | |
| Apr 12, 2025 01:47:24.960251093 CEST | 200 | OUT | |
| Apr 12, 2025 01:47:25.068111897 CEST | 1243 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49682 | 104.21.85.126 | 443 | 6604 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-11 23:47:14 UTC | 261 | OUT | |
| 2025-04-11 23:47:14 UTC | 97 | OUT | |
| 2025-04-11 23:47:15 UTC | 786 | IN | |
| 2025-04-11 23:47:15 UTC | 583 | IN | |
| 2025-04-11 23:47:15 UTC | 1369 | IN | |
| 2025-04-11 23:47:15 UTC | 1369 | IN | |
| 2025-04-11 23:47:15 UTC | 1369 | IN | |
| 2025-04-11 23:47:15 UTC | 1369 | IN | |
| 2025-04-11 23:47:15 UTC | 1369 | IN | |
| 2025-04-11 23:47:15 UTC | 1369 | IN | |
| 2025-04-11 23:47:15 UTC | 1369 | IN | |
| 2025-04-11 23:47:15 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.8 | 49683 | 104.21.85.126 | 443 | 6604 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-11 23:47:16 UTC | 275 | OUT | |
| 2025-04-11 23:47:16 UTC | 14515 | OUT | |
| 2025-04-11 23:47:16 UTC | 808 | IN | |
| 2025-04-11 23:47:16 UTC | 76 | IN | |
| 2025-04-11 23:47:16 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.8 | 49684 | 104.21.85.126 | 443 | 6604 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-11 23:47:17 UTC | 273 | OUT | |
| 2025-04-11 23:47:17 UTC | 15051 | OUT | |
| 2025-04-11 23:47:17 UTC | 810 | IN | |
| 2025-04-11 23:47:17 UTC | 76 | IN | |
| 2025-04-11 23:47:17 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.8 | 49685 | 104.21.85.126 | 443 | 6604 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-11 23:47:18 UTC | 273 | OUT | |
| 2025-04-11 23:47:18 UTC | 15331 | OUT | |
| 2025-04-11 23:47:18 UTC | 4889 | OUT | |
| 2025-04-11 23:47:18 UTC | 810 | IN | |
| 2025-04-11 23:47:18 UTC | 76 | IN | |
| 2025-04-11 23:47:18 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.8 | 49686 | 104.21.85.126 | 443 | 6604 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-11 23:47:20 UTC | 270 | OUT | |
| 2025-04-11 23:47:20 UTC | 2296 | OUT | |
| 2025-04-11 23:47:20 UTC | 805 | IN | |
| 2025-04-11 23:47:20 UTC | 76 | IN | |
| 2025-04-11 23:47:20 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.8 | 49687 | 104.21.85.126 | 443 | 6604 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-11 23:47:21 UTC | 273 | OUT | |
| 2025-04-11 23:47:21 UTC | 1105 | OUT | |
| 2025-04-11 23:47:21 UTC | 801 | IN | |
| 2025-04-11 23:47:21 UTC | 76 | IN | |
| 2025-04-11 23:47:21 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.8 | 49688 | 104.21.85.126 | 443 | 6604 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-11 23:47:21 UTC | 262 | OUT | |
| 2025-04-11 23:47:21 UTC | 135 | OUT | |
| 2025-04-11 23:47:22 UTC | 784 | IN | |
| 2025-04-11 23:47:22 UTC | 43 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 19:47:07 |
| Start date: | 11/04/2025 |
| Path: | C:\Users\user\Desktop\SoftWare(1).exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6af1d0000 |
| File size: | 1'582'080 bytes |
| MD5 hash: | 34EB7041BA6EFD18C92455835185719A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 19:47:10 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x470000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 19:48:50 |
| Start date: | 11/04/2025 |
| Path: | C:\Program Files\Windows Defender\MpCmdRun.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff66acf0000 |
| File size: | 468'120 bytes |
| MD5 hash: | B3676839B2EE96983F9ED735CD044159 |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 19:48:50 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6e60e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |