Edit tour
Windows
Analysis Report
Setup.exe
Overview
General Information
| Sample name: | Setup.exe |
| Analysis ID: | 1663643 |
| MD5: | 1a27fceaa8cf30b45e58957195768a4e |
| SHA1: | 5daed928aa0c440e09d2832f6046c49f3ff47dc8 |
| SHA256: | 584c427269b460b899d5734d36fd08e5037827eea6fd5d6972388a12d0b368d6 |
| Tags: | AutoITexeLummaStealeruser-aachum |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
Setup.exe (PID: 8140 cmdline: "C:\Users\ user\Deskt op\Setup.e xe" MD5: 1A27FCEAA8CF30B45E58957195768A4E) 
cmd.exe (PID: 8188 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Ar gument.ppa m Argument .ppam.bat & Argument .ppam.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7224 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 7732 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7780 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 7800 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7828 cmdline:
findstr "S ophosHealt h bdservic ehost Avas tUI AVGUI nsWscSvc e krn" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7876 cmdline:
cmd /c md 306846 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - extrac32.exe (PID: 7900 cmdline:
extrac32 / Y /E Reef. ppam MD5: 9472AAB6390E4F1431BAA912FCFF9707) - findstr.exe (PID: 7988 cmdline:
findstr /V "Dealt" B other MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7984 cmdline:
cmd /c cop y /b 30684 6\Fox.com + Resorts + Signing + Oxford + Bored + K enneth + A dministrat ive + Kans as + Compi led + Accu sed 306846 \Fox.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 7932 cmdline:
cmd /c cop y /b ..\Ad ults.ppam + ..\Pas.p pam + ..\P cs.ppam + ..\Dealing .ppam + .. \Banks.ppa m + ..\Nam ely.ppam + ..\Chance .ppam + .. \Impose.pp am W MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Fox.com (PID: 7956 cmdline: Fox.com W MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 2920 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-12T02:26:17.040274+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 89.169.54.153 | 443 | TCP |
| 2025-04-12T02:26:57.428286+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49725 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:26:59.045004+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49726 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:00.126270+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49727 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:01.576068+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49728 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:04.077461+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49729 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:05.285701+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:06.389151+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:08.292766+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.5.162 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Neural Call Log Analysis: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00405B6C | |
| Source: | Code function: | 0_2_0040652D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00404B88 | |
| Source: | Code function: | 0_2_004033E9 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406947 | |
| Source: | Code function: | 0_2_00404451 | |
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00403FDF | |
| Source: | Code function: | 0_2_00402218 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Code function: | 0_2_00405B93 | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00405B6C | |
| Source: | Code function: | 0_2_0040652D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405B93 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405C44 | |
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | 121 Windows Management Instrumentation | 1 Scripting | 12 Process Injection | 11 Masquerading | 2 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | 13 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 13 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 24 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 28% | Virustotal | Browse | ||
| 33% | ReversingLabs | Win32.Spyware.Lummastealer | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| vqaliantheart.live | 104.21.5.162 | true | false | high | |
| h1.mockupeastcoast.shop | 89.169.54.153 | true | false | high | |
| SUOnlaSwBqeQImGvxTLKMBOcpRJpX.SUOnlaSwBqeQImGvxTLKMBOcpRJpX | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 89.169.54.153 | h1.mockupeastcoast.shop | Russian Federation | 31514 | INF-NET-ASRU | false | |
| 104.21.5.162 | vqaliantheart.live | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1663643 |
| Start date and time: | 2025-04-12 02:25:19 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 47s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 23 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@26/23@3/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.79.17.61, 52.149.20.212, 204.79.197.222, 172.202.163.200
- Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 20:26:57 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 89.169.54.153 | Get hash | malicious | LummaC Stealer | Browse | ||
| 104.21.5.162 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | HTMLPhisher | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| h1.mockupeastcoast.shop | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| vqaliantheart.live | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| INF-NET-ASRU | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Python Stealer, Blank Grabber | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\306846\Fox.com | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer, PrivateLoader, Vidar | Browse | |||
| Get hash | malicious | Vidar | Browse |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 947288 |
| Entropy (8bit): | 6.630612696399572 |
| Encrypted: | false |
| SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
| MD5: | 62D09F076E6E0240548C2F837536A46A |
| SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
| SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
| SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 556346 |
| Entropy (8bit): | 7.999665345313753 |
| Encrypted: | true |
| SSDEEP: | 12288:Mi8oIvCqxMjmjHb7ymG0n8sJVrpdbH+5RfiizfNJSKa:woMdLymDn88JeHaoJSKa |
| MD5: | 02881915C28195E1FFC95DCEB8F883AC |
| SHA1: | 469EA9E00D42645E0FB9BD1834FF972C6FB50ACE |
| SHA-256: | FE356218734BC6EE3222965B2A8FBBD1FDD2491D151254F47B676DCBD94AB862 |
| SHA-512: | B92DEC1FC2D1512F15FE32A398752670714DFBA89366C7E698296901CCDF7114F3B890AE91E11AED10D463D5C5AE6285CEE3BD8291C10280EC811C24A86FA5BC |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11618 |
| Entropy (8bit): | 7.458212779846062 |
| Encrypted: | false |
| SSDEEP: | 192:HsxvhLuBgfMvSVZPkZeCeAH6N8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:HGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ38 |
| MD5: | FD54F4C0881583A64BD60AF90542D1E8 |
| SHA1: | 2921F54B50D207D0B218678F2719C0F23C23FEEC |
| SHA-256: | 1A641A008D8C6440A1AE69F433C66A3876F55388CF4D0DD43D9D2219318B1508 |
| SHA-512: | 1C46CDFF3F3F89B900579286DC11522DA0C8A34164B597EE519861B0DECD3844E6FD05DBA318247CB93B8BC82D5C81D1B239B164D9F90E4C3ED1603ED16F4FF9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 113664 |
| Entropy (8bit): | 6.287339774328889 |
| Encrypted: | false |
| SSDEEP: | 3072:xqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeK:dO5bLezWWt/Dd314V14ZgP0JaK |
| MD5: | 6B292DBB216B1A11B80C5EFD28247569 |
| SHA1: | EF25F355B74DB0EE5D1DF469A09149D71E32F0A6 |
| SHA-256: | 2C6815EBE8E361F9C8898E56D7D01628018C78A05A9BE3E9CFB15EAAE5A8091B |
| SHA-512: | BF18B797DCB81DB20967954181260BD432CB7A8DBB425D37CF0E602F71E6EA73133DCCECB9FEF0D64843E4BE0291087499C65FF7C1C4E7EBB59C3991269E008A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 71680 |
| Entropy (8bit): | 7.997416869237401 |
| Encrypted: | true |
| SSDEEP: | 1536:XV7p5gJIZf6JS6rg+EVRxNy9GLWn7+y5EXFgByrVy7vPlzQHD1laO0rCre:Xz5mi6JS6MHjuALXwbFvPaHx4Os |
| MD5: | FB75D64A43745E99F14F2D7B101F4D31 |
| SHA1: | 95F174F3966498B8CB99D1B687CC2E7A0D606976 |
| SHA-256: | 03B86A30728AC825735C7921D01A3427C4EF103016039856A630186F24F80082 |
| SHA-512: | F2F07AE6EE26CD04525647C13F5D189D93B4390A813D1FC97837727651E3F9A771C18F847DF1E3DCD39CD0401FAF9F7566DA52D64878ABE3ACAFCC3EF938F53B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 27611 |
| Entropy (8bit): | 5.081085079822806 |
| Encrypted: | false |
| SSDEEP: | 384:gv1A6Af4ivnmhSu8YncioIAswXIApjjL5V2D3aisp+ZN11Io78csKzFB:gtAHfm7vro14A9jL5asp+X11IolzFB |
| MD5: | 1ED5E75B037B5C86ED9537F512A7CBB0 |
| SHA1: | DE0C84604BB971C6705BD2804FAE96511C000F37 |
| SHA-256: | BE5B2F7033F23B85BC29CC47473EAAFD2B574DAA6F4FAF0593F00187D9F877AF |
| SHA-512: | 250AC92CED05DA8E7F54BF7F534C0B265CB96FDD426C6B5AE334DF7E97062B93FEDFC5986D72433261E260834799C56C5C3BBE4D40C7900D5EB836685F3CD81D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 27611 |
| Entropy (8bit): | 5.081085079822806 |
| Encrypted: | false |
| SSDEEP: | 384:gv1A6Af4ivnmhSu8YncioIAswXIApjjL5V2D3aisp+ZN11Io78csKzFB:gtAHfm7vro14A9jL5asp+X11IolzFB |
| MD5: | 1ED5E75B037B5C86ED9537F512A7CBB0 |
| SHA1: | DE0C84604BB971C6705BD2804FAE96511C000F37 |
| SHA-256: | BE5B2F7033F23B85BC29CC47473EAAFD2B574DAA6F4FAF0593F00187D9F877AF |
| SHA-512: | 250AC92CED05DA8E7F54BF7F534C0B265CB96FDD426C6B5AE334DF7E97062B93FEDFC5986D72433261E260834799C56C5C3BBE4D40C7900D5EB836685F3CD81D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82944 |
| Entropy (8bit): | 7.997840019833129 |
| Encrypted: | true |
| SSDEEP: | 1536:lmVqO7YCXF6J6aeIe/YhiKRgwVfXxd23cgT:lmgjne/YhiKR/PzycgT |
| MD5: | 90E8C5EAE16784E0EA6FD2B0EC991FEE |
| SHA1: | C8B212763E84566F9073CDA55B2A10CE357BF390 |
| SHA-256: | 710433A03D917565B8FAF82BF6589784BB7E5E61CA76AFF2389AE6E26951C71F |
| SHA-512: | 25B7104C410D4273E5120C125C58B6E122E907BFBA06293AA0F892A3CF45D82DD2842B39DECFC8DF9DE0525D02D1C6B431F597D1B2C4CBC8D547FC51B0F34B2D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 148480 |
| Entropy (8bit): | 6.7148555373379075 |
| Encrypted: | false |
| SSDEEP: | 3072:7dTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBz:wHS3zcNPj0nEo3tb2j6AUkBz |
| MD5: | 1109D36C201D4DFDC3BF84674C21CDC3 |
| SHA1: | 86357A379A5D11F88559A6DFD2050C8E68A7472B |
| SHA-256: | F179854A0AB801FB0BF539B8455238BCD70BE61D5C00F6E871CC973A19C14A24 |
| SHA-512: | 5AB39306CAFE2F18F5BBA765BC7B87A7DA40C976D809643B0D96E4A9F3C8301FA24FEAAF3284D49E88D8DEC293E420D586BD9060E6A70AD7B3785BD2C8F18DD1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1787 |
| Entropy (8bit): | 4.772971053238548 |
| Encrypted: | false |
| SSDEEP: | 24:yyGS9PvCA433C+sCNC1skNkvQfhSHQU2L55e1yb/uBx39lt6DhBhhB4+JvU1SE:P9n9mTsCNvEQH5O5U1nPKrhBzM1v |
| MD5: | 471756364361AD966740F49228D99E94 |
| SHA1: | F4369C0DA7029E3B08E917AA29857F0993EBF870 |
| SHA-256: | CD02868DC2CFBBE5DA94BBBF09D665A5C39FB4FB46E7F4D01F2D010350776D74 |
| SHA-512: | C5E59101B418AFEEA4A8436287CE00F9C12643D346B4DBF507B887EA09271057E68E28710E4D1ACB08834C051632C06EAF541A8E26E386E6365E01F7409C08C5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 58368 |
| Entropy (8bit): | 7.996918222979421 |
| Encrypted: | true |
| SSDEEP: | 768:4z5QTR9DE0w+J4HNjoN91PBi5B7eu1HZ2X14dXPv2le7d3eJfMc3WH5IgCkzj0RH:4u68eo3lBi7jmX1wWlcoJmd5zj0JDugF |
| MD5: | CA257AB3FB229DB47444AB68E825C797 |
| SHA1: | 1FAD0139068E7D272229D7942CC480BDA9A19C65 |
| SHA-256: | 459D34BE96CBC0AA31789C931C02B34515F5A0FD02001FF2FAE032C81545B7B5 |
| SHA-512: | 63B55F8A7E47748AC3D64EA30D125252181C13AE51277D446C883C315AEA89CC4E1812586325026213DBBDDEBD76E4C8A1D1DEDBD0B96FDDBFEC25FA2CF1906E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 101376 |
| Entropy (8bit): | 5.829531769309095 |
| Encrypted: | false |
| SSDEEP: | 1536:e5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ:e5elDWy4ZNoGmROL7F1G7hY |
| MD5: | DD88D964EA458B0C5D9229D2CCB4CCC8 |
| SHA1: | 323D8A7B1E8A4E59AA0B135AE9C00AC0A8DC5956 |
| SHA-256: | 65E575C4534716CB29F5E9B1F7C317F39F77624B177F00332E27217F7EFA7072 |
| SHA-512: | B811B91CBF2D94C7F0C361452B1F863EEE4DED2D8F0C0128E6ADFCA190E2D2523E655D3C7A2225061D0D356214E9C565D564571691450FB040A85C391C906A85 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77824 |
| Entropy (8bit): | 7.997683845472811 |
| Encrypted: | true |
| SSDEEP: | 1536:Ov7mJ0j4ssR+H4Yw+wLDNrDlAEgCmR0kEmhmLde2OkEGAG:NJss8Hs+wLDFDlXgKkoY+R |
| MD5: | B30B1DB6877F52EE8CA340411ABE490A |
| SHA1: | 3BD4A1A3DEE3BC2701EE487C4B8D6BEC9D5FC2DE |
| SHA-256: | 999D00A3F83EE1813D1444DEC48082A31EA541C9C81A27E3B5644CFEED23A28E |
| SHA-512: | 6406F03C1D96731CE09B8A86732CCAD0628D983992536033CED569132115EA19337C6874AD7922FF250CDC803A3D7E1DE06EF8F99F1A67BCCCBD00537B80E51B |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 37178 |
| Entropy (8bit): | 7.995179363760482 |
| Encrypted: | true |
| SSDEEP: | 768:wTeX5ujIdpELJ3mMiOqnT98G28Z4CmdxtwLJbcAiQ2zMXdyjJc6zEHF5:wiJeO25FG25dxwxJkdjJc6zO |
| MD5: | 2AACB42970DAFD208F717BC87C3620D8 |
| SHA1: | D25DA14C24D220B0D161BEA905E7DFE9209E865D |
| SHA-256: | 9EE211E8799DA6E78CA81F752C69D578F584BD7986BF8002DA92D0EC53733CA3 |
| SHA-512: | F066182F913FF4261A4EF4C9753C1F6B7EBA33A2DC29648306096A8B09921C2A634BCDC116D38A5FF6EB07E57E20CE984FEC0ADC90E5660FC425C5D816F3F541 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 152576 |
| Entropy (8bit): | 5.7429294082401565 |
| Encrypted: | false |
| SSDEEP: | 1536:NgMbFuz08QuklMBNIimuzaAwusPdKaj6iTcPAsAhxjgarB:Ng0Fuz08XvBNbjaAtsPh6whxjgarB |
| MD5: | 0554CA687E05A0807838031A94DACC56 |
| SHA1: | 0867261FA735072D05B3A044D3C77EC580A01F83 |
| SHA-256: | 99BA998B04773DC47141A6BE0B50AFF3A97B60572A8CC97FFEE79C881A6BF0C9 |
| SHA-512: | 28E415A0C0C54801B7A8AE68BAF8A7F6442C5A9B33F86F908013C80E1EC3D729418E0D9639BFA162AED67E7BE590015E59F1424A5C09E13D2B3ECDE4E4744118 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 88064 |
| Entropy (8bit): | 6.548258521559813 |
| Encrypted: | false |
| SSDEEP: | 1536:zRmLORuCYm9PrpmESvn+pqFqaynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmo:1R8CThpmESv+AqVnBypIbv18mLthfhnZ |
| MD5: | 4CC928B501590980DBF649EF7F5AFBBF |
| SHA1: | 7F7F0F070B3D76D74280BCCE444BD027A9EDBFF3 |
| SHA-256: | 3367ED96F78781ECADB702A538981A42CA634F97590439528E1FC80B82DC57D4 |
| SHA-512: | 7F2C0E8DBF4BB6CF7338767BEF0BEA94DDCDB5CBA10CFD85CD5F217D34C322A1659729033082745545B926EAE745D1C54953CACEF254B891D4190EE2194606B6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 90112 |
| Entropy (8bit): | 7.997757237558352 |
| Encrypted: | true |
| SSDEEP: | 1536:G+9GUR73r3BuuWQm6BWLL8YWbHj1Dx3BVjOwtdguvgk9Le4YD:HGw9/m6BWHg/PRVKwwgfi/D |
| MD5: | A99F4313AD67115D6A12B102E799E030 |
| SHA1: | 2F2C305283A66FCAEE215A6FA66AF030097F009A |
| SHA-256: | A1907134C807B8D10FF3B975764DA5B0E60E7DACE3D79DC0165DF3D742D67CE1 |
| SHA-512: | F5EDD163F4FCA8204B3C336B661876FD905DBD4360050C260FDE2AF572207B788E5988B91021ACF02FAA72FFD6FB7B96CC5DD601F38516B28979C5E306421EE8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77824 |
| Entropy (8bit): | 6.597577870179922 |
| Encrypted: | false |
| SSDEEP: | 1536:Bq0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3BxZxu6/sPYcSyRu:o0Imbi80PtCZEMnVIPPBxT/sZE |
| MD5: | 1BCD0F02B1218397CD81C00B4F08ECC1 |
| SHA1: | 8CD2F0887168836C183CAD729FC2414B6DFB07E4 |
| SHA-256: | A81B4AA7B73279800E2D067AE6A2A6C49363F31568C527AD1446E436B937E1A8 |
| SHA-512: | BD6D5694BC873EC56F7AFF4EE6BABAD2170CD39BDF2FF9766C6077D3DEA4E4727655D16E43DB138FA96776D9806C2EC1E6837E6B1AB51732F2EDA69D235359C6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55296 |
| Entropy (8bit): | 7.996630933173811 |
| Encrypted: | true |
| SSDEEP: | 1536:q8KEr9FDwoFnyCCOhguIOR7bjy/nWQvko0VemxdWGlkJg59qu:qHEPDJFgOSI7XyMVvlkJg5cu |
| MD5: | CFD677F0FF62BB4E0B458BEBABF2B0B3 |
| SHA1: | 0ACC98C23387DB48DB6994C86E0D1349116AD745 |
| SHA-256: | 78742D2283A62457B5107DBD8685EF5B3DE0D85CD4F582C11440D23E924AFA52 |
| SHA-512: | 9B82A7EA078AD76639B05C9311ECB86B61E48B6FDD22EF7A26D2CAF68B1592ABF400C780970D7F29ECFFCC1101892314934EC76FA955FB59E37BA27B2749DE3C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82944 |
| Entropy (8bit): | 7.998121496725335 |
| Encrypted: | true |
| SSDEEP: | 1536:nSk8eIzlCT8J7XcgBSouGB7VG8inDeP+plBPqTwKUGKK2L108p/ZUq:nSk8eIzv7XXSqVaiOAUGo0u |
| MD5: | 7208E5BD40B4F3B29A5EB517FB00558F |
| SHA1: | EC0CD20B04710599CAD26B58E3C67876CA18176E |
| SHA-256: | 6983972132958824409A44FDF6FDC3B60558FC029055D5B7B5ECC404DA92CC88 |
| SHA-512: | 4F3FAE11C63AC1C2D7BEE1043107A52312E36A83137F13BA3C0E6760524ABC3EA7F3086B061DFF7BB07CFEA8FA1C2A0CEF199B5B0A29FBCA34168A81D09D3837 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 487096 |
| Entropy (8bit): | 7.998518839418628 |
| Encrypted: | true |
| SSDEEP: | 12288:mAM3JGgugibJuR7K2krhFj4e5D02eGtKjJ5OkX:HuQXb2Krh15c7zX |
| MD5: | 0DDB3F888F7DEB4B35A1152E46B133D4 |
| SHA1: | 59DE9D03575A712BCFF0E3B4E47F2482FF841F32 |
| SHA-256: | 86D643C6741A26D7AAF0700DF440ACF671667A0D8E371A4ABB1F636D0D0081B8 |
| SHA-512: | DBBFAA80980F8356B40F7B7993F7FE5871E646C931B5355F8F821FAEB7BEEFBD04857B5C7D826D136DC9B3AA4F74CE28573EB4591033F55ABDC9D10E79D57C19 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 103424 |
| Entropy (8bit): | 6.255854917148833 |
| Encrypted: | false |
| SSDEEP: | 3072:aZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3l1:aK5vPeDkjGgQaE/l1 |
| MD5: | 0E608008AF7B480271D97BE4AAA381CC |
| SHA1: | C83AA49C2C98651A7F8F0CA39539D8B2F5901B57 |
| SHA-256: | 9D488CA45E5B3D7DBEAAB216780DAA32DDF5F96927F1AFC9BE9654A0AE1E3511 |
| SHA-512: | F07D674979183ED4999AA00E2CEFA6685BBA4075248E25C515BA18269143B3EDAEEBEF7CD328E203A98C10FF49666DEF358BDF553461EA37568F03B3B528B21D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 148480 |
| Entropy (8bit): | 6.708017876555898 |
| Encrypted: | false |
| SSDEEP: | 3072:4W2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSAU4C7:SUDtf0accB3gBmmLsiS+SAhC7 |
| MD5: | AF48B2DECDA89645DF19CEF89C64E48F |
| SHA1: | 5F83305B9A9D522740A5633C9B9ED7C320C0659D |
| SHA-256: | D9083EF5AB07ED5E8DBF6BBF74CD979E77797E1B2946760AB4EDACC3B0398FC9 |
| SHA-512: | 169A9C2FBA36412151310AFE1B2D6AB9FEE447037AA09E30FEFA99F7F234E33606A91C76347311A08A4C23AAA2EC9E89BBFF5F0396EB4A28474F803516ABA5A6 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.982506439638186 |
| TrID: |
|
| File name: | Setup.exe |
| File size: | 1'195'901 bytes |
| MD5: | 1a27fceaa8cf30b45e58957195768a4e |
| SHA1: | 5daed928aa0c440e09d2832f6046c49f3ff47dc8 |
| SHA256: | 584c427269b460b899d5734d36fd08e5037827eea6fd5d6972388a12d0b368d6 |
| SHA512: | 62f09940f8b8d9cd724da1a42e8a4145ff7e54394eee5b901f7309d3897888723f93e47ddc9d095fb74391fee08fb92901e7133c400d132288fa0b0292cf1fd3 |
| SSDEEP: | 24576:H0aWmY33sAmMTOue6HMKL/G/8Ih80AkndybuzMZvpe+QpB:HkR3ciKueyMKs8Ih80bDMZ5Q |
| TLSH: | 404533E0D37899EAF52509F333A208E59B38A32572E1B6D357114E677FB11861E0D3A3 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................d. |
 | |
| Icon Hash: | 9818991bf0809863 |
| Entrypoint: | 0x4033e9 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4BC06CCB [Sat Apr 10 12:19:23 2010 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | bf95d1fc1d10de18b32654b123ad5e1f |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 2D368B5A6CC98BC02AD52EEE65430D83 |
| Thumbprint SHA-1: | 1A200CF5CB19E72BFCCF0217FD4D7833812D3A42 |
| Thumbprint SHA-256: | BC8381484F313296157BF10B1607AA4E9F0952CEEAA56BC02DA0BBCB03C209F7 |
| Serial: | 065FCA85F000B86E0C0FABABAA85A28F |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+18h], ebp |
| mov dword ptr [esp+10h], 00408570h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [00408030h] |
| push 00008001h |
| call dword ptr [004080B4h] |
| push ebp |
| call dword ptr [004082B0h] |
| push 00000008h |
| mov dword ptr [00470678h], eax |
| call 00007FF91CE9153Ch |
| push ebp |
| push 000002B4h |
| mov dword ptr [00470590h], eax |
| lea eax, dword ptr [esp+38h] |
| push eax |
| push ebp |
| push 0040856Ch |
| call dword ptr [00408180h] |
| push 00408554h |
| push 00468580h |
| call 00007FF91CE9140Ah |
| call dword ptr [004080B0h] |
| push eax |
| mov edi, 004C10A0h |
| push edi |
| call 00007FF91CE913F8h |
| push ebp |
| call dword ptr [00408130h] |
| cmp word ptr [004C10A0h], 0022h |
| mov dword ptr [00470598h], eax |
| mov eax, edi |
| jne 00007FF91CE8EDDAh |
| push 00000022h |
| pop esi |
| mov eax, 004C10A2h |
| push esi |
| push eax |
| call 00007FF91CE910CCh |
| push eax |
| call dword ptr [00408250h] |
| mov esi, eax |
| mov dword ptr [esp+1Ch], esi |
| jmp 00007FF91CE8EE61h |
| push 00000020h |
| pop ebx |
| cmp ax, bx |
| jne 00007FF91CE8EDD9h |
| inc esi |
| inc esi |
| cmp word ptr [esi], bx |
| je 00007FF91CE8EDCBh |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x89f0 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf2000 | 0x114e8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1218a5 | 0x26d8 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2c0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6240 | 0x6400 | 1a752074fcd11165f6f148ea63ebe068 | False | 0.656640625 | data | 6.421737576039348 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x18ca | 0x1a00 | 7eb0899a4b6211f8bc545228417d92ad | False | 0.42427884615384615 | data | 4.878367399492845 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x6667c | 0x200 | b0b1d7c362f8cc76541b7fce5014e602 | False | 0.193359375 | data | 1.3587162613330246 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x71000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xf2000 | 0x114e8 | 0x11600 | 21993a22bf44033090782a83bf9f8a27 | False | 0.9005451888489209 | data | 7.574785058835711 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xf2250 | 0xab65 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.987875196572236 |
| RT_ICON | 0xfcdb8 | 0x2668 | Device independent bitmap graphic, 48 x 96 x 32, image size 9792 | English | United States | 0.5895036615134256 |
| RT_ICON | 0xff420 | 0x2589 | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0011447601207202 |
| RT_ICON | 0x1019b0 | 0x1128 | Device independent bitmap graphic, 32 x 64 x 32, image size 4352 | English | United States | 0.6908014571948998 |
| RT_ICON | 0x102ad8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.8466312056737588 |
| RT_DIALOG | 0x102f40 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x103040 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x103160 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x1031c0 | 0x4c | data | English | United States | 0.8026315789473685 |
| RT_MANIFEST | 0x103210 | 0x2d4 | XML 1.0 document, ASCII text, with very long lines (724), with no line terminators | English | United States | 0.5649171270718232 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, MulDiv, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
| USER32.dll | ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, FindWindowExW, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, IsWindow |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-12T02:26:17.040274+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 89.169.54.153 | 443 | TCP |
| 2025-04-12T02:26:57.428286+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49725 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:26:59.045004+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49726 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:00.126270+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49727 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:01.576068+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49728 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:04.077461+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49729 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:05.285701+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:06.389151+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.5.162 | 443 | TCP |
| 2025-04-12T02:27:08.292766+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.5.162 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 12, 2025 02:26:57.155061007 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.155134916 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.155227900 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.158669949 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.158694029 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.428189039 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.428286076 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.430581093 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.430588007 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.430902958 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.477507114 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.487936974 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.487936974 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.488193035 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995651960 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995706081 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995739937 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995757103 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.995774031 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995831966 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.995837927 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995879889 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995913029 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995922089 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.995929003 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.995960951 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.995968103 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.996292114 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.996330976 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:57.996335983 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.040000916 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.040029049 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.086865902 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.114118099 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.114651918 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.114686012 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.114708900 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.114718914 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.114762068 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.114772081 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.114779949 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.114814043 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.114820957 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.115544081 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.115586042 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.115591049 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.115863085 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.115892887 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.115902901 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.115907907 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.115943909 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.116368055 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.116425037 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.116457939 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.116467953 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.116473913 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.116517067 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.116520882 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.117399931 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.117438078 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.117459059 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.117464066 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.117497921 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.117542028 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.117585897 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.130727053 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.130743027 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.130778074 CEST | 49725 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.130784035 CEST | 443 | 49725 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.782515049 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.782598972 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:58.786037922 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.786365986 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:58.786386013 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.044735909 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.045003891 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.046215057 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.046237946 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.046578884 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.047816992 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.047980070 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.048024893 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.048089981 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.048100948 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.709562063 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.709875107 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.709937096 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.709937096 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.852026939 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.852119923 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:26:59.852281094 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.852758884 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:26:59.852801085 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:00.126137018 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:00.126270056 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:00.127437115 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:00.127466917 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:00.128379107 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:00.130098104 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:00.130264044 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:00.130310059 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.197268009 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.197411060 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.197477102 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.197563887 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.197586060 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.314600945 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.314657927 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.314780951 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.315095901 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.315135956 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.575984001 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.576067924 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.577357054 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.577373981 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.577712059 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.578839064 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.578970909 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.579010963 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:01.579067945 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:01.579077959 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:02.218641996 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:02.218771935 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:02.218835115 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:02.252181053 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:02.252219915 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:03.807028055 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:03.807073116 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:03.807164907 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:03.807445049 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:03.807456970 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:04.077353954 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:04.077461004 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:04.078711987 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:04.078720093 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:04.079643011 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:04.080756903 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:04.080862999 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:04.080924988 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:04.637505054 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:04.637716055 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:04.637799978 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:04.695044041 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:04.695060968 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.029661894 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.029720068 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.029853106 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.030133009 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.030142069 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.285537004 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.285701036 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.287020922 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.287033081 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.287270069 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.288563013 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.288724899 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.288753986 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.831887960 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.831970930 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:05.832118988 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.832160950 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:05.832179070 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.123891115 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.123945951 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.124129057 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.124320030 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.124351025 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.389044046 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.389151096 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.390223026 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.390253067 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.391171932 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.392194033 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.392806053 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.392860889 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.392992020 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.393045902 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.393189907 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.393368006 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.393532038 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.393577099 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.393769026 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.393821955 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.394105911 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.394167900 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.394193888 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.394226074 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.394371986 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.394422054 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.394462109 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.394489050 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.394576073 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.394617081 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.394668102 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.394692898 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:06.394776106 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.394861937 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.394916058 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:06.440278053 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.033941031 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.034070015 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.034147978 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.034272909 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.034315109 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.038811922 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.038861990 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.038976908 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.039344072 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.039377928 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.292654037 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.292766094 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.294394016 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.294403076 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.294728041 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.295831919 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.295861006 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.295922041 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.866559982 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.866647959 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.866780996 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.867007017 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.867054939 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.867089033 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 12, 2025 02:27:08.867105007 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.016503096 CEST | 49733 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.016566038 CEST | 443 | 49733 | 89.169.54.153 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.016650915 CEST | 49733 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.016932964 CEST | 49733 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.016968012 CEST | 443 | 49733 | 89.169.54.153 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.228646040 CEST | 443 | 49733 | 89.169.54.153 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.229547977 CEST | 49734 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.229604006 CEST | 443 | 49734 | 89.169.54.153 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.229665995 CEST | 49734 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.230460882 CEST | 49734 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.230479956 CEST | 443 | 49734 | 89.169.54.153 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.457062006 CEST | 443 | 49734 | 89.169.54.153 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.458239079 CEST | 49735 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.458293915 CEST | 443 | 49735 | 89.169.54.153 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.458360910 CEST | 49735 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.459609032 CEST | 49735 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 12, 2025 02:27:09.459667921 CEST | 443 | 49735 | 89.169.54.153 | 192.168.2.4 |
| Apr 12, 2025 02:27:09.459724903 CEST | 49735 | 443 | 192.168.2.4 | 89.169.54.153 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 12, 2025 02:26:25.482346058 CEST | 63645 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 12, 2025 02:26:25.644413948 CEST | 53 | 63645 | 1.1.1.1 | 192.168.2.4 |
| Apr 12, 2025 02:26:57.035474062 CEST | 57963 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 12, 2025 02:26:57.147907019 CEST | 53 | 57963 | 1.1.1.1 | 192.168.2.4 |
| Apr 12, 2025 02:27:08.871388912 CEST | 55751 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 12, 2025 02:27:09.015693903 CEST | 53 | 55751 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 12, 2025 02:26:25.482346058 CEST | 192.168.2.4 | 1.1.1.1 | 0x48bf | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 12, 2025 02:26:57.035474062 CEST | 192.168.2.4 | 1.1.1.1 | 0xfdf5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 12, 2025 02:27:08.871388912 CEST | 192.168.2.4 | 1.1.1.1 | 0x7975 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 12, 2025 02:26:25.644413948 CEST | 1.1.1.1 | 192.168.2.4 | 0x48bf | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Apr 12, 2025 02:26:57.147907019 CEST | 1.1.1.1 | 192.168.2.4 | 0xfdf5 | No error (0) | 104.21.5.162 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 02:26:57.147907019 CEST | 1.1.1.1 | 192.168.2.4 | 0xfdf5 | No error (0) | 172.67.133.158 | A (IP address) | IN (0x0001) | false | ||
| Apr 12, 2025 02:27:09.015693903 CEST | 1.1.1.1 | 192.168.2.4 | 0x7975 | No error (0) | 89.169.54.153 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49725 | 104.21.5.162 | 443 | 7956 | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-12 00:26:57 UTC | 267 | OUT | |
| 2025-04-12 00:26:57 UTC | 85 | OUT | |
| 2025-04-12 00:26:57 UTC | 786 | IN | |
| 2025-04-12 00:26:57 UTC | 583 | IN | |
| 2025-04-12 00:26:57 UTC | 1369 | IN | |
| 2025-04-12 00:26:57 UTC | 1369 | IN | |
| 2025-04-12 00:26:57 UTC | 1369 | IN | |
| 2025-04-12 00:26:57 UTC | 1369 | IN | |
| 2025-04-12 00:26:57 UTC | 1369 | IN | |
| 2025-04-12 00:26:57 UTC | 1369 | IN | |
| 2025-04-12 00:26:57 UTC | 1369 | IN | |
| 2025-04-12 00:26:57 UTC | 753 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49726 | 104.21.5.162 | 443 | 7956 | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-12 00:26:59 UTC | 285 | OUT | |
| 2025-04-12 00:26:59 UTC | 15331 | OUT | |
| 2025-04-12 00:26:59 UTC | 4292 | OUT | |
| 2025-04-12 00:26:59 UTC | 814 | IN | |
| 2025-04-12 00:26:59 UTC | 76 | IN | |
| 2025-04-12 00:26:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49727 | 104.21.5.162 | 443 | 7956 | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-12 00:27:00 UTC | 277 | OUT | |
| 2025-04-12 00:27:00 UTC | 8745 | OUT | |
| 2025-04-12 00:27:01 UTC | 823 | IN | |
| 2025-04-12 00:27:01 UTC | 76 | IN | |
| 2025-04-12 00:27:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49728 | 104.21.5.162 | 443 | 7956 | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-12 00:27:01 UTC | 280 | OUT | |
| 2025-04-12 00:27:01 UTC | 15331 | OUT | |
| 2025-04-12 00:27:01 UTC | 5077 | OUT | |
| 2025-04-12 00:27:02 UTC | 808 | IN | |
| 2025-04-12 00:27:02 UTC | 76 | IN | |
| 2025-04-12 00:27:02 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49729 | 104.21.5.162 | 443 | 7956 | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-12 00:27:04 UTC | 274 | OUT | |
| 2025-04-12 00:27:04 UTC | 3760 | OUT | |
| 2025-04-12 00:27:04 UTC | 812 | IN | |
| 2025-04-12 00:27:04 UTC | 76 | IN | |
| 2025-04-12 00:27:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49730 | 104.21.5.162 | 443 | 7956 | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-12 00:27:05 UTC | 274 | OUT | |
| 2025-04-12 00:27:05 UTC | 2676 | OUT | |
| 2025-04-12 00:27:05 UTC | 810 | IN | |
| 2025-04-12 00:27:05 UTC | 76 | IN | |
| 2025-04-12 00:27:05 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49731 | 104.21.5.162 | 443 | 7956 | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-12 00:27:06 UTC | 277 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:06 UTC | 15331 | OUT | |
| 2025-04-12 00:27:08 UTC | 822 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49732 | 104.21.5.162 | 443 | 7956 | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-12 00:27:08 UTC | 268 | OUT | |
| 2025-04-12 00:27:08 UTC | 123 | OUT | |
| 2025-04-12 00:27:08 UTC | 787 | IN | |
| 2025-04-12 00:27:08 UTC | 108 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 20:26:15 |
| Start date: | 11/04/2025 |
| Path: | C:\Users\user\Desktop\Setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'195'901 bytes |
| MD5 hash: | 1A27FCEAA8CF30B45E58957195768A4E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 20:26:17 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 20:26:18 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62fc20000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 20:26:20 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x640000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 20:26:20 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x120000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 20:26:21 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x640000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 20:26:21 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x120000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 20:26:23 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 20:26:23 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\extrac32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x50000 |
| File size: | 29'184 bytes |
| MD5 hash: | 9472AAB6390E4F1431BAA912FCFF9707 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 20:26:23 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x120000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 20:26:23 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 20:26:24 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 20:26:24 |
| Start date: | 11/04/2025 |
| Path: | C:\Users\user\AppData\Local\Temp\306846\Fox.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 20:26:24 |
| Start date: | 11/04/2025 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc0000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 18.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 20.8% |
| Total number of Nodes: | 1343 |
| Total number of Limit Nodes: | 31 |