Edit tour
Windows
Analysis Report
Setup.exe
Overview
General Information
| Sample name: | Setup.exe |
| Analysis ID: | 1664099 |
| MD5: | 69d60e74d9063949aa710804c99e4468 |
| SHA1: | c3c669bafcaedb94b4ea02afb19155b99b0bdf88 |
| SHA256: | a6f505950424c626a2e800ee4d5b50de2e091d6b1f4f8ceeedc0e2e4af6aa6c0 |
| Tags: | AutoITexeLummaStealeruser-aachum |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
Setup.exe (PID: 7940 cmdline: "C:\Users\ user\Deskt op\Setup.e xe" MD5: 69D60E74D9063949AA710804C99E4468) 
cmd.exe (PID: 7980 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Un authorized .msi Unaut horized.ms i.bat & Un authorized .msi.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 8056 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 8064 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 8100 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 8108 cmdline:
findstr "S ophosHealt h bdservic ehost Avas tUI AVGUI nsWscSvc e krn" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 8144 cmdline:
cmd /c md 335031 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - extrac32.exe (PID: 8160 cmdline:
extrac32 / Y /E Appre ciated.msi MD5: 9472AAB6390E4F1431BAA912FCFF9707) - findstr.exe (PID: 8180 cmdline:
findstr /V "Communic ations" Tu rner MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 6588 cmdline:
cmd /c cop y /b 33503 1\Amino.co m + Scanne r + Tri + Submission + Aging + Digital + Collectio n + Clevel and + Taiw an + Recei ves + Nd + Investors + Detecti on 335031\ Amino.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 7204 cmdline:
cmd /c cop y /b ..\Th umbnail.ms i + ..\Pri ze.msi + . .\Mile.msi + ..\Clar k.msi + .. \Using.msi + ..\Hori zontal.msi + ..\Sum. msi + ..\F rance.msi T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Amino.com (PID: 7248 cmdline: Amino.com T MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 7596 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-13T16:25:03.098487+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 89.169.54.153 | 443 | TCP |
| 2025-04-13T16:25:50.179624+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49726 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:52.100476+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49727 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:53.197917+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49728 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:55.215678+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49729 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:58.182515+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:59.150068+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:26:00.242952+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:26:02.180377+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 104.21.5.162 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Neural Call Log Analysis: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00405B6C | |
| Source: | Code function: | 0_2_0040652D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00404B88 | |
| Source: | Code function: | 0_2_004033E9 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406947 | |
| Source: | Code function: | 0_2_00404451 | |
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00403FDF | |
| Source: | Code function: | 0_2_00402218 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Code function: | 0_2_00405B93 | |
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00405B6C | |
| Source: | Code function: | 0_2_0040652D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405B93 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00405C44 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | 121 Windows Management Instrumentation | 1 Scripting | 12 Process Injection | 11 Masquerading | 2 OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | LSASS Memory | 21 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 31 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | 13 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 13 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 25 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 45% | Virustotal | Browse | ||
| 36% | ReversingLabs | Win32.Spyware.Lummastealer | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 3% | ReversingLabs | Script-AutoIt.Dropper.Generic | ||
| 3% | ReversingLabs | Script-AutoIt.Dropper.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| vqaliantheart.live | 104.21.5.162 | true | false | high | |
| h1.mockupeastcoast.shop | 89.169.54.153 | true | false | high | |
| XFctBeCyahiRgTQwoaYNt.XFctBeCyahiRgTQwoaYNt | unknown | unknown | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 89.169.54.153 | h1.mockupeastcoast.shop | Russian Federation | 31514 | INF-NET-ASRU | false | |
| 104.21.5.162 | vqaliantheart.live | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1664099 |
| Start date and time: | 2025-04-13 16:24:12 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 48s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 23 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@26/26@3/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.76.34.6, 172.202.163.200
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 10:25:14 | API Interceptor | |
| 10:25:46 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 89.169.54.153 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| 104.21.5.162 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | HTMLPhisher | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| h1.mockupeastcoast.shop | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| vqaliantheart.live | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| INF-NET-ASRU | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Cobalt Strike, MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | GO Backdoor, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Koadic | Browse |
| ||
| Get hash | malicious | HTMLPhisher, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer, Xmrig | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\335031\Amino.com | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer, PrivateLoader, Vidar | Browse |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 947288 |
| Entropy (8bit): | 6.630612696399572 |
| Encrypted: | false |
| SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
| MD5: | 62D09F076E6E0240548C2F837536A46A |
| SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
| SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
| SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 533823 |
| Entropy (8bit): | 7.999658656783924 |
| Encrypted: | true |
| SSDEEP: | 12288:IsVfyYZiz0gkHefmatOWbjdtXrKtG6XNrwY3y9SEQ:fK2i9SEf5TXOtXl3ySEQ |
| MD5: | D7A7748CFDDFC4EF4104B1AD01D19424 |
| SHA1: | 2F4505456065AFF8D851A332CF2A2D19E1A28E6D |
| SHA-256: | F1EBC00F6E7473BE3844BFE6981BC74AADF82161038557C085A7A4BC1EB906F7 |
| SHA-512: | AEE578F283BCE95B01DCB700A97FD04C3DD6F551B21171FA0FBF2958F023E6BC7F702428C3D00777A3425AF5AA29F8607B850483C075864DBC8BF6C4065666A5 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 75776 |
| Entropy (8bit): | 6.592405040072708 |
| Encrypted: | false |
| SSDEEP: | 1536:Ni8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3BxZxu6/sPY:g0Imbi80PtCZEMnVIPPBxT/sA |
| MD5: | 3BABAB233673803488F2D8AEBD98F105 |
| SHA1: | 7C28B18EC25FA5693FCE271F5997270C56C490F3 |
| SHA-256: | C5CFFFC75502BF2D2812CCC5C8EFC5F12B96CEA87345CF0B0BD648A70E10207D |
| SHA-512: | B0EE6DD3FA88AA04FB02209D9559D084FEE123BAFD15C63581269B116CB499B49DDB4F5E040DE9C0067599FA2B7236E158D90EECBF8348A024F84297AB94B8D2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 489914 |
| Entropy (8bit): | 7.998466094938992 |
| Encrypted: | true |
| SSDEEP: | 12288:nq2RpJgVGWZcw9SxO8mY7xt0Fc74Jk6iht0b8AyzSrmP:qA+UUcwal7xyhOzH |
| MD5: | A0A62AE4958834D852B3649D637F40B5 |
| SHA1: | 000F4752DE6E0E2C3C0DC3038B748F792C803207 |
| SHA-256: | B45F542746C35C528593999E3E0A5F96A4032ADC8D100BCFA5E04C5794591819 |
| SHA-512: | 04B698F3909235AFEC3A36A3826EAC23CCFC252D40BC88FD8BA8225F14D6571B97F60711800C5CDF79B3CBB65590279A7D402022D28035BEC1DD27C2B50BF8C0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 61440 |
| Entropy (8bit): | 7.9968160564337785 |
| Encrypted: | true |
| SSDEEP: | 1536:EOMsMO2DeOTzaBKhFjCCMaoSnOUkypa4CQYBJ000SkGD3w1oUJ:EHsMfDeOqBKPCCMaFzbaVl0+UJ |
| MD5: | DAEAD9FC5DD19AF24C4288DC2D4786F7 |
| SHA1: | E5C73DF6E2A70481B125BD678BF2111E8E751F71 |
| SHA-256: | 932F88C08678D4F19867F486C7E1F271D27B14D617520F00F2D5ED92F896EAAB |
| SHA-512: | F5F45F190564221939F5889E2ED9D563B76D21886C14536B21655A26987D08EE29D7F81907C32B520EA441D1D109697E57796E830EF6BCC33E85C2CAA26EF682 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 121856 |
| Entropy (8bit): | 6.576026561779058 |
| Encrypted: | false |
| SSDEEP: | 3072:mqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9cov:nVnjphfhnvO5bLezWWt/Dd314V14ZgPv |
| MD5: | E9403B8E00244FF402DB56FB9F5CCCF5 |
| SHA1: | 612F9B5927168D9C321BFD1E31BD638A030953B3 |
| SHA-256: | 1BF70AE7228CDA96C2979432BA9367FEA9920095901FB90263F989BF555E9B5A |
| SHA-512: | 6FA75BB5E52AC7557A4E6D52B990B5C5409767F426B3295B91B9027971CD074EDCEADC4B53F57992F899DAB13F8A4E305C1A18371B0CA1FE3643A66BC6D2CCBF |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 110592 |
| Entropy (8bit): | 6.639426024541707 |
| Encrypted: | false |
| SSDEEP: | 3072:j0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+R:j0nEo3tb2j6AUkB0CThp6v8 |
| MD5: | 44C095ACC22C1212E2B258528AB1A901 |
| SHA1: | 8AC60FB6475A03B4B28640D7191DE1421DD2B839 |
| SHA-256: | 8876B10A1D85833BA25F1331B479F4CBD2AAC6AEFBF3E4AD4B33C2722324E2AF |
| SHA-512: | 2C1011956AF465D079242FE0840B09D4851D60D1FB3873CF67D480F5AB491E84F510086C6800F2C06C329739868A0B51EDF68E543A1BE5A9B4A0CF7EEBA41807 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5728 |
| Entropy (8bit): | 7.62117397262704 |
| Encrypted: | false |
| SSDEEP: | 96:FhzYGNG6m4/TOL+Q3IuzfJFFy4EDzHy5Xz+ppo+zAbQ6YhbBwGKGP5h3g:TcGNq4/C+Q3ISVSWMZMQ3rw |
| MD5: | 6D178827B85C6F32AB0A11EAB2A5337C |
| SHA1: | EF08D7ED7EF6F192BD5E855A7FBA79981D870C0E |
| SHA-256: | B72C55EA2F3C0CEB9E626F5AC61B419295D1E2AAD1368CC7F501226AC998C3CD |
| SHA-512: | B5D7F79633CD40400E058831C9927348F5BD74A24761F5364F2289FD4BDF0677276F26EFB7DA5697D91E418B5CAC627A2D88A3910DAC81A964B1F450E0BC2888 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 76800 |
| Entropy (8bit): | 6.6859019865556775 |
| Encrypted: | false |
| SSDEEP: | 1536:XcSyRXzW8/uC6LdTmHwANUQlHS3cctlxWboHdMJ3RraSXL21rKoUnn:2ydTmRxlHS3NxrHSBRtNPnn |
| MD5: | 86CC58582D043EBC9225FF4AE452AF0C |
| SHA1: | 61053CF690A65341C181FBB27D3258D07629D4D3 |
| SHA-256: | F215F7747D689AD5CFA36E25700F32949DD880CC6F8D3419E2A3F40DB35665D0 |
| SHA-512: | 5B7A2D421FB4E442168F8F5C78A9832392D7D87DA6866B6C39719737C636E9FC961A964AC02325B34740819256E954EE5F3F204B6C99B6EF196332BD7D044DFD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 40255 |
| Entropy (8bit): | 7.9954856769157505 |
| Encrypted: | true |
| SSDEEP: | 768:6rHbo0pjDATDm1p+iPK80RyOH4nj+WM1Z2yElIZ6gNDP4zP+SnBQgJEdN2NQ:Ko0tDATDGp7Krwi4+WM4lIZTNDPB22gE |
| MD5: | FB5CBAF9DC6A285E0C6C85ACF44BC8D3 |
| SHA1: | C84FD18ED9945B0E79F2A5A669D6C2131857C781 |
| SHA-256: | 2DCA042850CF46AF1EA8EAF01AD2025528A3E147E81AC40F694EF53F6E315C6B |
| SHA-512: | 39344A48FD309E09AE1DE2769BAC1278E0A9EC8D800CC8BE3F3D60626CE61698234ADA5E5BC6618C097BF5AC099A9DE3EEC0B656B66B20529BD471FC2F283C8A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55296 |
| Entropy (8bit): | 7.996588408110692 |
| Encrypted: | true |
| SSDEEP: | 1536:QewrM+Jhv3O7z7qP5Sx8fF93US+qZ4hNyWZ+dmUdfAC63:QtrMMxO7qPUMF9EPtZ+8UdfAl |
| MD5: | 0FF7D82F5103ABCA6CBA2E1225EDB016 |
| SHA1: | 45EAAD36DFD6453A027A372B6ED7AF6FCED760E6 |
| SHA-256: | 15D25C9F483B518424DDAC5B8A2635586D8F2C8A4750AA9984237908B0F2368C |
| SHA-512: | 30BC44B12DCFBD48A101292A15E6F518300E8F74E659D8F1E68D4D3D344D30964C2C24BB7EC3967FAC3414BDE880C53ED538CB338B1EA0BEA9B00A8341A520EE |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 67584 |
| Entropy (8bit): | 7.005366554866291 |
| Encrypted: | false |
| SSDEEP: | 1536:MWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kO8:MWy4ZNoGmROL7F1G7ho2kO8 |
| MD5: | E82C96462AEDB5711AFADEDAC32BB2F3 |
| SHA1: | D5E67F2E41FC5044E654B411FA4B4888AF5C3602 |
| SHA-256: | D9B86BFB560938C9F7171410446E487D426A8A5252B5423D58CBB65C8F5E4ECD |
| SHA-512: | 60AC7A55D4562827AEDB8F1BD8D839720AA7DCD68AC5B9D386EBEB50922A4950B43D69359FF7BFF132CE78FDCB7C00AD555D5FF7A870964D88F8C4F34CDF6310 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 72704 |
| Entropy (8bit): | 7.997431892300692 |
| Encrypted: | true |
| SSDEEP: | 1536:bGpzHxKs+i1gEvLlEe0QKgVXxKJx0WhnOzsTHLw79B:ipLss5eeLmfOxWmATHLw7z |
| MD5: | 5A8C1C34ABBA5E66190784E9434B8EAD |
| SHA1: | 8BBDC6B58D60F60E91550AC317AE79162484EC66 |
| SHA-256: | 96A52B4C3944A10D72548A0902E0C117E1469398E9EA3C37D513D63B9D9CC5CE |
| SHA-512: | 33058C6C7B7EDCE1ADEDF5EEFEF1B3E08AF2210C39830A202BED93689F21DB9AF063F315D51BE504C5509D5F760B00E7F67362E22BA443A903CAD82FAEB6A948 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 84992 |
| Entropy (8bit): | 4.253772556726208 |
| Encrypted: | false |
| SSDEEP: | 768:MKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3EYr8qcL:MKaj6iTcPAsAhxjgarB/5el3EYrw |
| MD5: | 98ACA7ADB400F0C176D74C77465A1129 |
| SHA1: | 3E390CB58C318F42B154074538737D15D0A3BDDD |
| SHA-256: | B2E13FFD2E05DE173D2C7E595F94E189E793DA4ED3669D7BC6EA4A8A78335CF8 |
| SHA-512: | 00DA288133D58B4BBB0A3B52C12188F6DA1DB178B3BC7F75E7FA3243637C6B5BB528620FDB9A9C55EB7CA7D50F0AAC87CE541BF8CD1385A9940B3C6B27DB893C |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 7.997783383573854 |
| Encrypted: | true |
| SSDEEP: | 1536:w6ETQGQxkKd4GBpZG4cQam4ZjBO+GB9qVjLDnOwxa0lm:w6uX2kLGBpZFRgVjg0g |
| MD5: | 62D36630514AB76861A28A71563763F8 |
| SHA1: | 6879295285E5ADFE79A9F5A45359A012C0947020 |
| SHA-256: | 0BB325D41CA04594B6A29EBA4CB114F5176B4C043D579B6BD9A1096751F83B7D |
| SHA-512: | B9519C912A0C40C67AC006ACEC2835EBB1B42BB9C2D1CA003426A471954C0A65B3A591BB705F2537818017FE942AF3C9CCDB4B0716A02CF715AD560A67A66122 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 74752 |
| Entropy (8bit): | 4.928819526554737 |
| Encrypted: | false |
| SSDEEP: | 384:D9HPmPuki09PrOa3HwwuBcozc/mwftIQXoSpu88888888888888888888888888r:D9vmPukxhSaAwuXc/mex/Sx |
| MD5: | 710B11006ABA1306CB0B68A4BACB7647 |
| SHA1: | FC590C24F1966CF3453B97C65FE7E0F05FD775E3 |
| SHA-256: | 49CF7983DE8A8F8D98E927F5D83FFE4F97794CF2BED11F5470C7761F9152738B |
| SHA-512: | 2AB62179A5E736F4647998E30F78F21BF0B461744FB8E77BB128A62C245EABAE168359AAD3A4C73517C4B330D95AF4A9CC121AF6E104C13FFEA950FE83855F69 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 58368 |
| Entropy (8bit): | 6.534962803903033 |
| Encrypted: | false |
| SSDEEP: | 768:cQ18OWrM81EyJqx9EdzGGXZVfmlqTmN5WAQIGK2ud5lS87uzh7JCQ/sE7mOB6XSu:X1/AD1EsdzVXnP94SGGLpRB6M28eFvN |
| MD5: | 0D69060CA3165CEA1A5B4CE7BBC34B22 |
| SHA1: | BB4E865A1C5F22AB0D8B73C6068DF1FFBB17F1C8 |
| SHA-256: | A2C036FCBDB9F98DC2FBDA4154464D34DA3FFBA55D32951B748015EDF61C09BD |
| SHA-512: | 1FE7348C29AF25950540C7F30C758F1E12B300C71F68AAC0D64181C16E8767211E6991B4455626C785523ED35732806AAF7723190FCE907781A111F9F4DBA8B2 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 64512 |
| Entropy (8bit): | 6.696613799059466 |
| Encrypted: | false |
| SSDEEP: | 1536:BvI932eOypvcLSDOSpZ+Sh+I+FrbCyI7P4CT:Bv+32eOyKODOSpQSAU4CT |
| MD5: | FD9AF536765A6560802EC52E22310420 |
| SHA1: | F122752EC08531BF78816D421A7B37CDC967B9EC |
| SHA-256: | B785A0BD758E4DF2E74F95F80DFF95A6A666B5CDF1D0385B2061E314CD2FD15E |
| SHA-512: | 87A9CDCCDB5ABABA4394726691E1750B1DFA15EC731DE87BF47258031BF359A54482104A48AF41AD549F8E53414B5CCBD9DAD164FD16AD8A57943061FEAE047A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 54272 |
| Entropy (8bit): | 7.996723705881468 |
| Encrypted: | true |
| SSDEEP: | 1536:R1DXNoCtXg6VfwU1vvfwjBmVq9krD54tUAMys:RJXNrXg6VfwCvvUkvkUh1 |
| MD5: | 44A28C22401CE7D2C31316E407773FA7 |
| SHA1: | C5D84C5B9BE5BF88EA8FFFFFDF4099B2AD0E1485 |
| SHA-256: | B81CABF6D31D42C805066DCA44A78FA2B65187D5A0666BC7D8EB808EAF3BA698 |
| SHA-512: | 215C6CB52F10EA746ED1E0BA5EC49AC48B1694B717DCC85F4D9D7C375D199CECA544C563D8398247B2D194FCADA56D4AF9DB6BD30658FEF32FCBE131F201758F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82944 |
| Entropy (8bit): | 6.025879668490226 |
| Encrypted: | false |
| SSDEEP: | 1536:ZYfv2j62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIg:ZC2jfTq8QLeAg0Fuz08XvBN/ |
| MD5: | CAE602F214F31F8526C2658BF7A02E54 |
| SHA1: | 84804B68DA5AF9A818B360421EA381C0D635A387 |
| SHA-256: | 7F3BA9F4D5FDE790B05150B396400B168F9B80607438C7643E8D3445C54DCC36 |
| SHA-512: | 3EA7AAF15F82DFE8CB85A2555D046132D581116676F12253C29E69295D9E6CDF7694D84710C4AD7E2C2398953C84DAC8E74CF3DFB6AE91BFEC1F6655E629E146 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 100352 |
| Entropy (8bit): | 7.998355358244918 |
| Encrypted: | true |
| SSDEEP: | 1536:NdRsgg0sV1OUjPACqMNEfwgI/d3bKeetLoAZbKMKgIEeGa86LPM2/YyflzrQ/do+:7RsmgUUjoChMU2B9KMKgVen9PDfQFokB |
| MD5: | B8B501AC81E432FFAA497157411C303D |
| SHA1: | F2A3B9014B678665E535FF181A5D4167DC593B98 |
| SHA-256: | A7D7C1F03CF4ECB1F39BCD5610C376296BCBD8352797959D10B599E65A16BDD2 |
| SHA-512: | D09CBB79D1068552F69A5FFFB544557A6236E9CCAD0CD0EC4043E27F6102798B1D973086DCE4C8A8AEEA683D78F7451B72579800F62C53F0843EADDDD7D9A98D |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 122880 |
| Entropy (8bit): | 6.423730287625938 |
| Encrypted: | false |
| SSDEEP: | 3072:SjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4y:SjGgQaE/loUDtf0accB3gn |
| MD5: | DB8E568F416B00852B1A285709424B63 |
| SHA1: | 0F8D9C99D0C2EB5D5B636817FE9753A9969F2F6C |
| SHA-256: | 2C0AD1D50C6CE6FBFF0474C2752DC2B2319E868972F90B43440849C921C45FD9 |
| SHA-512: | FC41E1B5401E82F2156B9211341BF33378A912E9E1B1529EE3B8945BAAEB843C8967C65799F4A6FBF482D9524878F10EBA10A8AA8F68BFCA1E786BC3A6678EE9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\extrac32.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 518 |
| Entropy (8bit): | 4.51036591364456 |
| Encrypted: | false |
| SSDEEP: | 6:QOqjvVg3F+X32+hZCt7HSbYwClS6CSNEcixN3Qdp94sA4PvMt/66h1I2YgJ62/n:HyGSG+fCtJfjEvadTfA43k66h1ICdn |
| MD5: | 7ED9883D4ADDBFE9B9C3FD867F5A65C1 |
| SHA1: | DE63478DB3CB7022FE989E9AD35431F8922FD135 |
| SHA-256: | A2D4665B8438AB7CF96822BB792738B6706EDC40003E09EFAFA29E464D69A61D |
| SHA-512: | A2327FC0DE8F0B227D4D4A6B3FA82DA7C60890D4612969766F4BB47A7EA714BD3CFD345208D4938B0D4AB179244CE428F6862FF12074D32C284B98D9D5996421 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 18031 |
| Entropy (8bit): | 5.155803009881373 |
| Encrypted: | false |
| SSDEEP: | 192:XDxCd3uZXiZtjjPHgbPWeh5ZF2XxH2jSpltMkiAMpuyHMCVzEsTooDlvGZmdrs9Z:RZXujjPAbTfWcSpU91ztToKHsGTWUY |
| MD5: | 69667EBCBFDE66B4CC35D80EC12CFBEF |
| SHA1: | CBD213C337F3A5672D215A01A8872CCE4B4A22B8 |
| SHA-256: | 26F223BDC7E530114BA315304A25CC4E4C4800AE7BE7DD40EAAB9654BD5652C5 |
| SHA-512: | D01F7F1EAEB3F3195DB205343D7164D6009A5C9CC13DB2A5876690B8A040D106073756157D7EBD952F11A26D525061971C104E936BD18C84E82A52C93392B459 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 18031 |
| Entropy (8bit): | 5.155803009881373 |
| Encrypted: | false |
| SSDEEP: | 192:XDxCd3uZXiZtjjPHgbPWeh5ZF2XxH2jSpltMkiAMpuyHMCVzEsTooDlvGZmdrs9Z:RZXujjPAbTfWcSpU91ztToKHsGTWUY |
| MD5: | 69667EBCBFDE66B4CC35D80EC12CFBEF |
| SHA1: | CBD213C337F3A5672D215A01A8872CCE4B4A22B8 |
| SHA-256: | 26F223BDC7E530114BA315304A25CC4E4C4800AE7BE7DD40EAAB9654BD5652C5 |
| SHA-512: | D01F7F1EAEB3F3195DB205343D7164D6009A5C9CC13DB2A5876690B8A040D106073756157D7EBD952F11A26D525061971C104E936BD18C84E82A52C93392B459 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\Setup.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 83968 |
| Entropy (8bit): | 7.997951710128455 |
| Encrypted: | true |
| SSDEEP: | 1536:TzsErzTJMLeR4tRbUgX+oJpe0o+6r6Xr9N/arAneYVpRAza+3WCYxfwV:T/rzTJWU6q056rexN/arAneEXQ |
| MD5: | B242A1E21D6C1C3B2A06D627FD6BA7A4 |
| SHA1: | 3E55CCAA14A450E0C137C2C1AB5A3D09A0ADE579 |
| SHA-256: | 45A816BA76509CA2E3C1EC925D48F26C4B8A14A6A16FCF9831EFB1EDD1D11DF0 |
| SHA-512: | 441415118AA85EC818F1F663494BF9BADB922920BABAB88DC9CA10726570059812C546C7C1704215BBA853B0033B38D7A4F1AFCAB5F27EAC843CB2DF5AFE7687 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.988726019100514 |
| TrID: |
|
| File name: | Setup.exe |
| File size: | 1'241'125 bytes |
| MD5: | 69d60e74d9063949aa710804c99e4468 |
| SHA1: | c3c669bafcaedb94b4ea02afb19155b99b0bdf88 |
| SHA256: | a6f505950424c626a2e800ee4d5b50de2e091d6b1f4f8ceeedc0e2e4af6aa6c0 |
| SHA512: | 6957e6ddfbe384d3980d94616951fb0e2adc9d5eb4e0b008417256631f8f83b26f148c00b2727be00687ff2a1f6ffede33f4b41251ef3687b891cdcf64d0cf2b |
| SSDEEP: | 24576:q0a38rTjI6ImYmxl8xj3po7rUkeRDORB36KguXzbX4bmaLCp/Wi/NvLavIr5QKGv:q9ATk6no5o7rUkeRYBKcfIbmaLCNjBat |
| TLSH: | FE4533A15710F02FDAD2027860A9CA97DCA6F1662A14F46793314C0B7F19BE2CCED797 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................d. |
 | |
| Icon Hash: | c48ab2b2b2de7eb2 |
| Entrypoint: | 0x4033e9 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4BC06CCB [Sat Apr 10 12:19:23 2010 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | bf95d1fc1d10de18b32654b123ad5e1f |
| Signature Valid: | false |
| Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | BC1D93D0BDCAF676875F8ABD14CA47E5 |
| Thumbprint SHA-1: | B963A16C552E2C3EDECDAE05B2EEE3EAE21C9E69 |
| Thumbprint SHA-256: | E4223370B8A3AF45184F0E499C01E6FCF32F8E6D7DE6891B06B0A089DF1F56B1 |
| Serial: | 00F935156DCA90FF6FBCC51A2C708B0CFA |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+18h], ebp |
| mov dword ptr [esp+10h], 00408570h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [00408030h] |
| push 00008001h |
| call dword ptr [004080B4h] |
| push ebp |
| call dword ptr [004082B0h] |
| push 00000008h |
| mov dword ptr [00470678h], eax |
| call 00007FA70D4434BCh |
| push ebp |
| push 000002B4h |
| mov dword ptr [00470590h], eax |
| lea eax, dword ptr [esp+38h] |
| push eax |
| push ebp |
| push 0040856Ch |
| call dword ptr [00408180h] |
| push 00408554h |
| push 00468580h |
| call 00007FA70D44338Ah |
| call dword ptr [004080B0h] |
| push eax |
| mov edi, 004C10A0h |
| push edi |
| call 00007FA70D443378h |
| push ebp |
| call dword ptr [00408130h] |
| cmp word ptr [004C10A0h], 0022h |
| mov dword ptr [00470598h], eax |
| mov eax, edi |
| jne 00007FA70D440D5Ah |
| push 00000022h |
| pop esi |
| mov eax, 004C10A2h |
| push esi |
| push eax |
| call 00007FA70D44304Ch |
| push eax |
| call dword ptr [00408250h] |
| mov esi, eax |
| mov dword ptr [esp+1Ch], esi |
| jmp 00007FA70D440DE1h |
| push 00000020h |
| pop ebx |
| cmp ax, bx |
| jne 00007FA70D440D59h |
| inc esi |
| inc esi |
| cmp word ptr [esi], bx |
| je 00007FA70D440D4Bh |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x89f0 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf2000 | 0x214c0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x12c475 | 0x2bb0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2c0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6240 | 0x6400 | 1a752074fcd11165f6f148ea63ebe068 | False | 0.656640625 | data | 6.421737576039348 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x18ca | 0x1a00 | 7eb0899a4b6211f8bc545228417d92ad | False | 0.42427884615384615 | data | 4.878367399492845 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x6667c | 0x200 | b0b1d7c362f8cc76541b7fce5014e602 | False | 0.193359375 | data | 1.3587162613330246 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x71000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xf2000 | 0x214c0 | 0x21600 | 4653a19bf355be8736594117d84a8821 | False | 0.9765478698501873 | data | 7.918697075731429 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xf2220 | 0x1acaa | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9982868286281872 |
| RT_ICON | 0x10ced0 | 0x2b96 | PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced | English | United States | 1.0009858397562288 |
| RT_ICON | 0x10fa68 | 0x2393 | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0012078620841112 |
| RT_ICON | 0x111e00 | 0x1128 | Device independent bitmap graphic, 32 x 64 x 32, image size 4352 | English | United States | 0.5881147540983607 |
| RT_DIALOG | 0x112f28 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x113028 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x113148 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x1131a8 | 0x3e | data | English | United States | 0.8548387096774194 |
| RT_MANIFEST | 0x1131e8 | 0x2d4 | XML 1.0 document, ASCII text, with very long lines (724), with no line terminators | English | United States | 0.5649171270718232 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, MulDiv, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
| USER32.dll | ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, FindWindowExW, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, IsWindow |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-13T16:25:03.098487+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 89.169.54.153 | 443 | TCP |
| 2025-04-13T16:25:50.179624+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49726 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:52.100476+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49727 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:53.197917+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49728 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:55.215678+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49729 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:58.182515+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:25:59.150068+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:26:00.242952+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 104.21.5.162 | 443 | TCP |
| 2025-04-13T16:26:02.180377+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 104.21.5.162 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 13, 2025 16:25:49.932624102 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:49.932660103 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:49.932743073 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:49.935699940 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:49.935709000 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.179536104 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.179624081 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.181179047 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.181185961 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.181585073 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.223261118 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.234558105 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.234592915 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.234648943 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802295923 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802350044 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802392006 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802431107 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802447081 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.802475929 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802490950 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.802552938 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802598000 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802602053 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.802612066 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802664995 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802721024 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.802726030 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.802771091 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.802999020 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.848187923 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.955023050 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.955188990 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.955279112 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.955368042 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.955372095 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.955399990 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.955534935 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.955560923 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.955574036 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.955585957 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.955707073 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956007957 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956065893 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.956072092 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956119061 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.956123114 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956222057 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956331015 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956381083 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.956386089 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956434965 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.956439972 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956875086 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.956959009 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.957010031 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.957015991 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.957062960 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.957067013 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.957165956 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.957247019 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.957302094 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.957305908 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.957355022 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.957359076 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.957458973 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.957885981 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.961875916 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.961875916 CEST | 49726 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:50.961903095 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:50.961922884 CEST | 443 | 49726 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:51.853230953 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:51.853336096 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:51.853432894 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:51.854304075 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:51.854341984 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.100351095 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.100476027 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.108340025 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.108367920 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.108639956 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.109772921 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.109934092 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.109978914 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.110045910 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.110060930 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.795336962 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.795625925 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.798300982 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.800894976 CEST | 49727 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.800941944 CEST | 443 | 49727 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.934976101 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.935065985 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:52.935204983 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.935620070 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:52.935651064 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:53.197751999 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:53.197916985 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:53.199070930 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:53.199098110 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:53.199534893 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:53.201029062 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:53.201149940 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:53.201189995 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:54.872864962 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:54.873199940 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:54.873431921 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:54.876142025 CEST | 49728 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:54.876185894 CEST | 443 | 49728 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:54.976952076 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:54.977051020 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:54.977174044 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:54.977448940 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:54.977473974 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:55.215401888 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:55.215677977 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:55.217458963 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:55.217510939 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:55.218017101 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:55.219149113 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:55.219358921 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:55.219413042 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:55.219496965 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:55.219513893 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:55.754838943 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:55.755139112 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:55.755331993 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:55.755418062 CEST | 49729 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:55.755456924 CEST | 443 | 49729 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:57.953046083 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:57.953150988 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:57.953253031 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:57.953557968 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:57.953597069 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:58.182298899 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:58.182514906 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.183670998 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.183684111 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:58.184500933 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:58.185508013 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.185607910 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.185672045 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:58.711936951 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:58.712287903 CEST | 443 | 49730 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:58.712373018 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.712419033 CEST | 49730 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.883362055 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.883464098 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:58.883729935 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.884033918 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:58.884073973 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:59.149993896 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:59.150068045 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.151284933 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.151297092 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:59.151633024 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:59.152705908 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.152831078 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.152861118 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:59.695561886 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:59.695888996 CEST | 443 | 49731 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:59.695921898 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.695970058 CEST | 49731 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.985363960 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.985457897 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:25:59.985826969 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.986182928 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:25:59.986222029 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.242841005 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.242952108 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.244045973 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.244074106 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.244436026 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.245624065 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.246300936 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.246349096 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.246485949 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.246541023 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.246681929 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.246751070 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.246978045 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.247030973 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.247234106 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.247297049 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.247507095 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.247559071 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.247590065 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.247620106 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.247836113 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.247873068 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.247915030 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.249948978 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.250009060 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.288295031 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.290292025 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.290339947 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.290389061 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.290446043 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.290488005 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.290512085 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:00.290561914 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:00.290584087 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:01.931195021 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:01.931552887 CEST | 443 | 49732 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:01.931726933 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:01.931767941 CEST | 49732 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:01.934746027 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:01.934794903 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:01.934910059 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:01.935290098 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:01.935309887 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.180200100 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.180377007 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:02.181514978 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:02.181526899 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.181857109 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.183319092 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:02.183356047 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:02.183419943 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.787864923 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.788043022 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.788150072 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:02.788424969 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:02.788444996 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.788463116 CEST | 49733 | 443 | 192.168.2.4 | 104.21.5.162 |
| Apr 13, 2025 16:26:02.788471937 CEST | 443 | 49733 | 104.21.5.162 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.933846951 CEST | 49735 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:02.933932066 CEST | 443 | 49735 | 89.169.54.153 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.934031963 CEST | 49735 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:02.934617996 CEST | 49735 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:02.934696913 CEST | 443 | 49735 | 89.169.54.153 | 192.168.2.4 |
| Apr 13, 2025 16:26:03.147562981 CEST | 443 | 49735 | 89.169.54.153 | 192.168.2.4 |
| Apr 13, 2025 16:26:03.148114920 CEST | 49736 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:03.148147106 CEST | 443 | 49736 | 89.169.54.153 | 192.168.2.4 |
| Apr 13, 2025 16:26:03.148220062 CEST | 49736 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:03.148791075 CEST | 49736 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:03.148801088 CEST | 443 | 49736 | 89.169.54.153 | 192.168.2.4 |
| Apr 13, 2025 16:26:03.374087095 CEST | 443 | 49736 | 89.169.54.153 | 192.168.2.4 |
| Apr 13, 2025 16:26:03.376761913 CEST | 49737 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:03.376852989 CEST | 443 | 49737 | 89.169.54.153 | 192.168.2.4 |
| Apr 13, 2025 16:26:03.376974106 CEST | 49737 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:03.377723932 CEST | 49737 | 443 | 192.168.2.4 | 89.169.54.153 |
| Apr 13, 2025 16:26:03.377764940 CEST | 443 | 49737 | 89.169.54.153 | 192.168.2.4 |
| Apr 13, 2025 16:26:03.378814936 CEST | 49737 | 443 | 192.168.2.4 | 89.169.54.153 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 13, 2025 16:25:14.686952114 CEST | 59821 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 13, 2025 16:25:14.836693048 CEST | 53 | 59821 | 1.1.1.1 | 192.168.2.4 |
| Apr 13, 2025 16:25:49.642154932 CEST | 63659 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 13, 2025 16:25:49.925471067 CEST | 53 | 63659 | 1.1.1.1 | 192.168.2.4 |
| Apr 13, 2025 16:26:02.792335033 CEST | 51527 | 53 | 192.168.2.4 | 1.1.1.1 |
| Apr 13, 2025 16:26:02.932816982 CEST | 53 | 51527 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 13, 2025 16:25:14.686952114 CEST | 192.168.2.4 | 1.1.1.1 | 0xd8da | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 13, 2025 16:25:49.642154932 CEST | 192.168.2.4 | 1.1.1.1 | 0x400 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 13, 2025 16:26:02.792335033 CEST | 192.168.2.4 | 1.1.1.1 | 0xea76 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 13, 2025 16:25:14.836693048 CEST | 1.1.1.1 | 192.168.2.4 | 0xd8da | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Apr 13, 2025 16:25:49.925471067 CEST | 1.1.1.1 | 192.168.2.4 | 0x400 | No error (0) | 104.21.5.162 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 16:25:49.925471067 CEST | 1.1.1.1 | 192.168.2.4 | 0x400 | No error (0) | 172.67.133.158 | A (IP address) | IN (0x0001) | false | ||
| Apr 13, 2025 16:26:02.932816982 CEST | 1.1.1.1 | 192.168.2.4 | 0xea76 | No error (0) | 89.169.54.153 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49726 | 104.21.5.162 | 443 | 7248 | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 14:25:50 UTC | 267 | OUT | |
| 2025-04-13 14:25:50 UTC | 83 | OUT | |
| 2025-04-13 14:25:50 UTC | 794 | IN | |
| 2025-04-13 14:25:50 UTC | 575 | IN | |
| 2025-04-13 14:25:50 UTC | 1369 | IN | |
| 2025-04-13 14:25:50 UTC | 1369 | IN | |
| 2025-04-13 14:25:50 UTC | 1369 | IN | |
| 2025-04-13 14:25:50 UTC | 1369 | IN | |
| 2025-04-13 14:25:50 UTC | 1369 | IN | |
| 2025-04-13 14:25:50 UTC | 1369 | IN | |
| 2025-04-13 14:25:50 UTC | 1369 | IN | |
| 2025-04-13 14:25:50 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49727 | 104.21.5.162 | 443 | 7248 | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 14:25:52 UTC | 283 | OUT | |
| 2025-04-13 14:25:52 UTC | 15331 | OUT | |
| 2025-04-13 14:25:52 UTC | 4280 | OUT | |
| 2025-04-13 14:25:52 UTC | 814 | IN | |
| 2025-04-13 14:25:52 UTC | 76 | IN | |
| 2025-04-13 14:25:52 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49728 | 104.21.5.162 | 443 | 7248 | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 14:25:53 UTC | 280 | OUT | |
| 2025-04-13 14:25:53 UTC | 8758 | OUT | |
| 2025-04-13 14:25:54 UTC | 817 | IN | |
| 2025-04-13 14:25:54 UTC | 76 | IN | |
| 2025-04-13 14:25:54 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49729 | 104.21.5.162 | 443 | 7248 | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 14:25:55 UTC | 278 | OUT | |
| 2025-04-13 14:25:55 UTC | 15331 | OUT | |
| 2025-04-13 14:25:55 UTC | 5065 | OUT | |
| 2025-04-13 14:25:55 UTC | 820 | IN | |
| 2025-04-13 14:25:55 UTC | 76 | IN | |
| 2025-04-13 14:25:55 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49730 | 104.21.5.162 | 443 | 7248 | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 14:25:58 UTC | 274 | OUT | |
| 2025-04-13 14:25:58 UTC | 5426 | OUT | |
| 2025-04-13 14:25:58 UTC | 814 | IN | |
| 2025-04-13 14:25:58 UTC | 76 | IN | |
| 2025-04-13 14:25:58 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49731 | 104.21.5.162 | 443 | 7248 | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 14:25:59 UTC | 283 | OUT | |
| 2025-04-13 14:25:59 UTC | 2615 | OUT | |
| 2025-04-13 14:25:59 UTC | 824 | IN | |
| 2025-04-13 14:25:59 UTC | 76 | IN | |
| 2025-04-13 14:25:59 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49732 | 104.21.5.162 | 443 | 7248 | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 14:26:00 UTC | 285 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:00 UTC | 15331 | OUT | |
| 2025-04-13 14:26:01 UTC | 814 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49733 | 104.21.5.162 | 443 | 7248 | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-13 14:26:02 UTC | 268 | OUT | |
| 2025-04-13 14:26:02 UTC | 121 | OUT | |
| 2025-04-13 14:26:02 UTC | 791 | IN | |
| 2025-04-13 14:26:02 UTC | 108 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:25:08 |
| Start date: | 13/04/2025 |
| Path: | C:\Users\user\Desktop\Setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'241'125 bytes |
| MD5 hash: | 69D60E74D9063949AA710804C99E4468 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 10:25:09 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 10:25:09 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff62fc20000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 10:25:11 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x590000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 10:25:11 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe70000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 10:25:11 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x590000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 10:25:11 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe70000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 10:25:12 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 10:25:12 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\extrac32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x150000 |
| File size: | 29'184 bytes |
| MD5 hash: | 9472AAB6390E4F1431BAA912FCFF9707 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 10:25:13 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe70000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 10:25:13 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 10:25:13 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 10:25:13 |
| Start date: | 13/04/2025 |
| Path: | C:\Users\user\AppData\Local\Temp\335031\Amino.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x610000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 10:25:13 |
| Start date: | 13/04/2025 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6b0000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |