Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1665637 |
| MD5: | d0c0e2b8cdcf7891093e828326fc7240 |
| SHA1: | 82d4bc2c660c5853818925351b1f01a4933755a3 |
| SHA256: | 4ef46582ae95f961c0a0af8262de20681d9fc34ab18ead54a634448c077fd82d |
| Tags: | exex64user-jstrosch |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
file.exe (PID: 8108 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: D0C0E2B8CDCF7891093E828326FC7240) 
MSBuild.exe (PID: 8164 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
- cleanup
{"C2 url": ["zestmodp.top/zeda", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "owlflright.digital/qopy"], "Build id": "96efdfe8c3b1c339731fabb10966231d"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Kiran kumar s, oscd.community: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-15T17:56:39.236422+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49692 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:40.893756+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49693 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:42.135143+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49694 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:43.391961+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49695 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:46.402842+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49696 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:47.548092+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49697 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:49.634005+0200 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49699 | 104.21.112.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-15T17:56:39.236422+0200 | 2061406 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49692 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:40.893756+0200 | 2061406 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49693 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:42.135143+0200 | 2061406 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49694 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:43.391961+0200 | 2061406 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49695 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:46.402842+0200 | 2061406 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49696 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:47.548092+0200 | 2061406 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49697 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:49.634005+0200 | 2061406 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49699 | 104.21.112.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-15T17:56:38.863104+0200 | 2061405 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 52140 | 1.1.1.1 | 53 | UDP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 1_2_0041D666 | |
| Source: | Code function: | 1_2_0041DA0A | |
| Source: | Code function: | 1_2_0041CB15 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0044D0E0 | |
| Source: | Code function: | 1_2_0041C1D1 | |
| Source: | Code function: | 1_2_0041C1D1 | |
| Source: | Code function: | 1_2_004192A0 | |
| Source: | Code function: | 1_2_004192A0 | |
| Source: | Code function: | 1_2_004192A0 | |
| Source: | Code function: | 1_2_004192A0 | |
| Source: | Code function: | 1_2_0044C3E0 | |
| Source: | Code function: | 1_2_0044C4F0 | |
| Source: | Code function: | 1_2_00410553 | |
| Source: | Code function: | 1_2_004277F0 | |
| Source: | Code function: | 1_2_00434840 | |
| Source: | Code function: | 1_2_0044D840 | |
| Source: | Code function: | 1_2_0042A855 | |
| Source: | Code function: | 1_2_0041F8C0 | |
| Source: | Code function: | 1_2_0041F8C0 | |
| Source: | Code function: | 1_2_0041F8C0 | |
| Source: | Code function: | 1_2_00448B21 | |
| Source: | Code function: | 1_2_00448B21 | |
| Source: | Code function: | 1_2_0042DC10 | |
| Source: | Code function: | 1_2_00448E6F | |
| Source: | Code function: | 1_2_00448E6F | |
| Source: | Code function: | 1_2_00441F70 | |
| Source: | Code function: | 1_2_00441F70 | |
| Source: | Code function: | 1_2_00441F70 | |
| Source: | Code function: | 1_2_00402060 | |
| Source: | Code function: | 1_2_0043F000 | |
| Source: | Code function: | 1_2_00434150 | |
| Source: | Code function: | 1_2_00447170 | |
| Source: | Code function: | 1_2_00447170 | |
| Source: | Code function: | 1_2_004351CB | |
| Source: | Code function: | 1_2_0040B1D0 | |
| Source: | Code function: | 1_2_00412250 | |
| Source: | Code function: | 1_2_0042D2D0 | |
| Source: | Code function: | 1_2_0040C290 | |
| Source: | Code function: | 1_2_0044934E | |
| Source: | Code function: | 1_2_00432330 | |
| Source: | Code function: | 1_2_0043533D | |
| Source: | Code function: | 1_2_0042E3CF | |
| Source: | Code function: | 1_2_0041E39C | |
| Source: | Code function: | 1_2_004023B0 | |
| Source: | Code function: | 1_2_004254C0 | |
| Source: | Code function: | 1_2_0041E4E9 | |
| Source: | Code function: | 1_2_004364A8 | |
| Source: | Code function: | 1_2_0044B558 | |
| Source: | Code function: | 1_2_004225D0 | |
| Source: | Code function: | 1_2_004225D0 | |
| Source: | Code function: | 1_2_0042E652 | |
| Source: | Code function: | 1_2_00435635 | |
| Source: | Code function: | 1_2_004086A0 | |
| Source: | Code function: | 1_2_0042D730 | |
| Source: | Code function: | 1_2_0040C9F0 | |
| Source: | Code function: | 1_2_0040C9F0 | |
| Source: | Code function: | 1_2_00431A6C | |
| Source: | Code function: | 1_2_00436A7B | |
| Source: | Code function: | 1_2_00412AE4 | |
| Source: | Code function: | 1_2_00436A81 | |
| Source: | Code function: | 1_2_00412B46 | |
| Source: | Code function: | 1_2_00421B51 | |
| Source: | Code function: | 1_2_00421B51 | |
| Source: | Code function: | 1_2_00426B20 | |
| Source: | Code function: | 1_2_00401C60 | |
| Source: | Code function: | 1_2_00448C74 | |
| Source: | Code function: | 1_2_00434CA7 | |
| Source: | Code function: | 1_2_00448D42 | |
| Source: | Code function: | 1_2_0044CD10 | |
| Source: | Code function: | 1_2_00431D80 | |
| Source: | Code function: | 1_2_0042CE40 | |
| Source: | Code function: | 1_2_00435E47 | |
| Source: | Code function: | 1_2_00445E70 | |
| Source: | Code function: | 1_2_0042BE39 | |
| Source: | Code function: | 1_2_00443EFB | |
| Source: | Code function: | 1_2_00420E90 | |
| Source: | Code function: | 1_2_00448F42 | |
| Source: | Code function: | 1_2_00409F50 | |
| Source: | Code function: | 1_2_00409F50 | |
| Source: | Code function: | 1_2_0042BF6D | |
| Source: | Code function: | 1_2_0041BF1F | |
| Source: | Code function: | 1_2_0040BFB0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 1_2_0043D320 | |
| Source: | Code function: | 1_2_0043D320 | |
| Source: | Code function: | 1_2_0043D510 | |
| Source: | Code function: | 0_2_00007FF706C53000 | |
| Source: | Code function: | 0_2_00007FF706C355C0 | |
| Source: | Code function: | 0_2_00007FF706CD280C | |
| Source: | Code function: | 0_2_00007FF706C5E800 | |
| Source: | Code function: | 0_2_00007FF706CCD798 | |
| Source: | Code function: | 0_2_00007FF706C54FD0 | |
| Source: | Code function: | 0_2_00007FF706C567D0 | |
| Source: | Code function: | 0_2_00007FF706C9CFC0 | |
| Source: | Code function: | 0_2_00007FF706C6C7C0 | |
| Source: | Code function: | 0_2_00007FF706C4E790 | |
| Source: | Code function: | 0_2_00007FF706C5CB80 | |
| Source: | Code function: | 0_2_00007FF706C4CB80 | |
| Source: | Code function: | 0_2_00007FF706CCE728 | |
| Source: | Code function: | 0_2_00007FF706C6EB30 | |
| Source: | Code function: | 0_2_00007FF706C51340 | |
| Source: | Code function: | 0_2_00007FF706C68F40 | |
| Source: | Code function: | 0_2_00007FF706CCC4F0 | |
| Source: | Code function: | 0_2_00007FF706C460F0 | |
| Source: | Code function: | 0_2_00007FF706C584E0 | |
| Source: | Code function: | 0_2_00007FF706C508E0 | |
| Source: | Code function: | 0_2_00007FF706C4A8E0 | |
| Source: | Code function: | 0_2_00007FF706C5AD10 | |
| Source: | Code function: | 0_2_00007FF706C64500 | |
| Source: | Code function: | 0_2_00007FF706C57100 | |
| Source: | Code function: | 0_2_00007FF706C350B0 | |
| Source: | Code function: | 0_2_00007FF706C58CB0 | |
| Source: | Code function: | 0_2_00007FF706C5B8D0 | |
| Source: | Code function: | 0_2_00007FF706C6ACD0 | |
| Source: | Code function: | 0_2_00007FF706C4F8C0 | |
| Source: | Code function: | 0_2_00007FF706C5A860 | |
| Source: | Code function: | 0_2_00007FF706C4F460 | |
| Source: | Code function: | 0_2_00007FF706CE0C94 | |
| Source: | Code function: | 0_2_00007FF706C4C890 | |
| Source: | Code function: | 0_2_00007FF706C4E02F | |
| Source: | Code function: | 0_2_00007FF706CDA01C | |
| Source: | Code function: | 0_2_00007FF706C5D1F0 | |
| Source: | Code function: | 0_2_00007FF706C5CDF0 | |
| Source: | Code function: | 0_2_00007FF706C4FDE0 | |
| Source: | Code function: | 0_2_00007FF706C4D1B0 | |
| Source: | Code function: | 0_2_00007FF706CCD99C | |
| Source: | Code function: | 0_2_00007FF706C4A5A0 | |
| Source: | Code function: | 0_2_00007FF706C551C0 | |
| Source: | Code function: | 0_2_00007FF706C4D9C0 | |
| Source: | Code function: | 0_2_00007FF706C59970 | |
| Source: | Code function: | 0_2_00007FF706CCD594 | |
| Source: | Code function: | 0_2_00007FF706C64190 | |
| Source: | Code function: | 0_2_00007FF706C4AD90 | |
| Source: | Code function: | 0_2_00007FF706C5D520 | |
| Source: | Code function: | 0_2_00007FF706C5BD20 | |
| Source: | Code function: | 0_2_00007FF706C57D20 | |
| Source: | Code function: | 0_2_00007FF706C58950 | |
| Source: | Code function: | 0_2_00007FF706C67950 | |
| Source: | Code function: | 0_2_00007FF706C70550 | |
| Source: | Code function: | 0_2_00007FF706C4B940 | |
| Source: | Code function: | 0_2_00007FF706C6A6E0 | |
| Source: | Code function: | 0_2_00007FF706CD2F10 | |
| Source: | Code function: | 0_2_00007FF706C5AB10 | |
| Source: | Code function: | 0_2_00007FF706CDA304 | |
| Source: | Code function: | 0_2_00007FF706CDA6FC | |
| Source: | Code function: | 0_2_00007FF706C332B0 | |
| Source: | Code function: | 0_2_00007FF706C64AB0 | |
| Source: | Code function: | 0_2_00007FF706CCCAA0 | |
| Source: | Code function: | 0_2_00007FF706C536A0 | |
| Source: | Code function: | 0_2_00007FF706C676D0 | |
| Source: | Code function: | 0_2_00007FF706C56AD0 | |
| Source: | Code function: | 0_2_00007FF706CD02C0 | |
| Source: | Code function: | 0_2_00007FF706C68AC0 | |
| Source: | Code function: | 0_2_00007FF706C4666E | |
| Source: | Code function: | 0_2_00007FF706C63A70 | |
| Source: | Code function: | 0_2_00007FF706C6C270 | |
| Source: | Code function: | 0_2_00007FF706CE3E60 | |
| Source: | Code function: | 0_2_00007FF706C4C290 | |
| Source: | Code function: | 0_2_00007FF706C69690 | |
| Source: | Code function: | 0_2_00007FF706C54230 | |
| Source: | Code function: | 0_2_00007FF706C71220 | |
| Source: | Code function: | 0_2_00007FF706C69A50 | |
| Source: | Code function: | 0_2_00007FF706C60640 | |
| Source: | Code function: | 1_2_00414037 | |
| Source: | Code function: | 1_2_0044D0E0 | |
| Source: | Code function: | 1_2_00426250 | |
| Source: | Code function: | 1_2_004192A0 | |
| Source: | Code function: | 1_2_004153B6 | |
| Source: | Code function: | 1_2_00434429 | |
| Source: | Code function: | 1_2_0044C4F0 | |
| Source: | Code function: | 1_2_0040B680 | |
| Source: | Code function: | 1_2_00434840 | |
| Source: | Code function: | 1_2_0041F8C0 | |
| Source: | Code function: | 1_2_00445880 | |
| Source: | Code function: | 1_2_0040D9F0 | |
| Source: | Code function: | 1_2_00403A70 | |
| Source: | Code function: | 1_2_00448B21 | |
| Source: | Code function: | 1_2_00412BE8 | |
| Source: | Code function: | 1_2_00441B80 | |
| Source: | Code function: | 1_2_0042DC10 | |
| Source: | Code function: | 1_2_00448E6F | |
| Source: | Code function: | 1_2_00410E87 | |
| Source: | Code function: | 1_2_00441F70 | |
| Source: | Code function: | 1_2_0043D050 | |
| Source: | Code function: | 1_2_0041F07B | |
| Source: | Code function: | 1_2_004030D0 | |
| Source: | Code function: | 1_2_004160FC | |
| Source: | Code function: | 1_2_00409170 | |
| Source: | Code function: | 1_2_00447170 | |
| Source: | Code function: | 1_2_0043A1C1 | |
| Source: | Code function: | 1_2_004271C0 | |
| Source: | Code function: | 1_2_00441210 | |
| Source: | Code function: | 1_2_0040B220 | |
| Source: | Code function: | 1_2_0042D28B | |
| Source: | Code function: | 1_2_0040C290 | |
| Source: | Code function: | 1_2_0043D320 | |
| Source: | Code function: | 1_2_00404382 | |
| Source: | Code function: | 1_2_004023B0 | |
| Source: | Code function: | 1_2_0044A3B0 | |
| Source: | Code function: | 1_2_004433B0 | |
| Source: | Code function: | 1_2_004383BB | |
| Source: | Code function: | 1_2_00441470 | |
| Source: | Code function: | 1_2_0041B43B | |
| Source: | Code function: | 1_2_004254C0 | |
| Source: | Code function: | 1_2_004214C6 | |
| Source: | Code function: | 1_2_0042F5AF | |
| Source: | Code function: | 1_2_004405BF | |
| Source: | Code function: | 1_2_00416630 | |
| Source: | Code function: | 1_2_004086A0 | |
| Source: | Code function: | 1_2_0043076C | |
| Source: | Code function: | 1_2_00413710 | |
| Source: | Code function: | 1_2_0042473A | |
| Source: | Code function: | 1_2_004147F9 | |
| Source: | Code function: | 1_2_00423840 | |
| Source: | Code function: | 1_2_0041E876 | |
| Source: | Code function: | 1_2_0041080E | |
| Source: | Code function: | 1_2_0040A950 | |
| Source: | Code function: | 1_2_0044C950 | |
| Source: | Code function: | 1_2_0044A910 | |
| Source: | Code function: | 1_2_0043A930 | |
| Source: | Code function: | 1_2_0040C9F0 | |
| Source: | Code function: | 1_2_00407990 | |
| Source: | Code function: | 1_2_00433A60 | |
| Source: | Code function: | 1_2_00446A00 | |
| Source: | Code function: | 1_2_00449A01 | |
| Source: | Code function: | 1_2_00435A0A | |
| Source: | Code function: | 1_2_00415AD0 | |
| Source: | Code function: | 1_2_0040FA90 | |
| Source: | Code function: | 1_2_00426B20 | |
| Source: | Code function: | 1_2_00408BC0 | |
| Source: | Code function: | 1_2_0043ABE0 | |
| Source: | Code function: | 1_2_0043CB90 | |
| Source: | Code function: | 1_2_00406B96 | |
| Source: | Code function: | 1_2_00423C90 | |
| Source: | Code function: | 1_2_00434CA7 | |
| Source: | Code function: | 1_2_0044CD10 | |
| Source: | Code function: | 1_2_00422DD0 | |
| Source: | Code function: | 1_2_00447DA0 | |
| Source: | Code function: | 1_2_0042CE40 | |
| Source: | Code function: | 1_2_00442E40 | |
| Source: | Code function: | 1_2_00445E70 | |
| Source: | Code function: | 1_2_00429E87 | |
| Source: | Code function: | 1_2_00448F42 | |
| Source: | Code function: | 1_2_00409F50 | |
| Source: | Code function: | 1_2_0044AF70 | |
| Source: | Code function: | 1_2_00412F78 | |
| Source: | Code function: | 1_2_0042FFA3 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_00441F70 | |
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF706C517F2 | |
| Source: | Code function: | 0_2_00007FF706C5180F | |
| Source: | Code function: | 0_2_00007FF706C337B9 | |
| Source: | Code function: | 0_2_00007FF706C517B4 | |
| Source: | Code function: | 0_2_00007FF706C4776E | |
| Source: | Code function: | 0_2_00007FF706C47395 | |
| Source: | Code function: | 0_2_00007FF706C3371D | |
| Source: | Code function: | 0_2_00007FF706C518F5 | |
| Source: | Code function: | 0_2_00007FF706C47CD0 | |
| Source: | Code function: | 0_2_00007FF706C33CD8 | |
| Source: | Code function: | 0_2_00007FF706C484C6 | |
| Source: | Code function: | 0_2_00007FF706C5180F | |
| Source: | Code function: | 0_2_00007FF706C47062 | |
| Source: | Code function: | 0_2_00007FF706C48C63 | |
| Source: | Code function: | 0_2_00007FF706C49C97 | |
| Source: | Code function: | 0_2_00007FF706C48438 | |
| Source: | Code function: | 0_2_00007FF706C51831 | |
| Source: | Code function: | 0_2_00007FF706C47422 | |
| Source: | Code function: | 0_2_00007FF706C33DF5 | |
| Source: | Code function: | 0_2_00007FF706C465E9 | |
| Source: | Code function: | 0_2_00007FF706C51A0C | |
| Source: | Code function: | 0_2_00007FF706C519B1 | |
| Source: | Code function: | 0_2_00007FF706C4759C | |
| Source: | Code function: | 0_2_00007FF706C499A6 | |
| Source: | Code function: | 0_2_00007FF706C481CF | |
| Source: | Code function: | 0_2_00007FF706C46D99 | |
| Source: | Code function: | 0_2_00007FF706C3397E | |
| Source: | Code function: | 0_2_00007FF706C46586 | |
| Source: | Code function: | 0_2_00007FF706C47D36 | |
| Source: | Code function: | 0_2_00007FF706C51AFE | |
| Source: | Code function: | 0_2_00007FF706C482EB | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 1_2_00448800 | |
| Source: | Code function: | 0_2_00007FF706CD0E14 | |
| Source: | Code function: | 0_2_00007FF706CC9384 | |
| Source: | Code function: | 0_2_00007FF706CD0E14 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF706CDD808 | |
| Source: | Code function: | 0_2_00007FF706CDD4F0 | |
| Source: | Code function: | 0_2_00007FF706CDD1F0 | |
| Source: | Code function: | 0_2_00007FF706CD8200 | |
| Source: | Code function: | 0_2_00007FF706CDDA90 | |
| Source: | Code function: | 0_2_00007FF706CD7A88 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF706CCA19C | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 311 Process Injection | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 311 Process Injection | LSASS Memory | 231 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 31 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 4 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 72% | Virustotal | Browse | ||
| 72% | ReversingLabs | Win64.Trojan.LummaStealer |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | high | |
| ax-9999.ax-msedge.net | 150.171.27.254 | true | false | high | |
| pki-goog.l.google.com | 172.253.124.94 | true | false | high | |
| zestmodp.top | 104.21.112.1 | true | true | unknown | |
| c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com | unknown | unknown | false | high | |
| c.pki.goog | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false | high | ||
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.112.1 | zestmodp.top | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1665637 |
| Start date and time: | 2025-04-15 17:55:34 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 51s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/0@3/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 199.232.214.172, 4.175.87.197, 13.95.31.18, 20.3.187.198, 23.76.34.6
- Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ax-ring.msedge.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 11:56:38 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.112.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | DBatLoader, FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| pki-goog.l.google.com | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | HTMLPhisher, ReCaptcha Phish | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GO Backdoor | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| ax-9999.ax-msedge.net | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | DcRat | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| bg.microsoft.map.fastly.net | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | Gabagool | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | HTMLPhisher, CryptOne, LummaC Stealer, Socks5Systemz, Tofsee | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | HTMLPhisher, ReCaptcha Phish | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GO Backdoor | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Cobalt Strike, FormBook | Browse |
| ||
| Get hash | malicious | CAPTCHA Scam ClickFix | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | TechSupportScam | Browse |
| ||
| Get hash | malicious | Gabagool | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 28a2c9bd18a11de089ef85a160da29e4 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | HTMLPhisher, CryptOne, LummaC Stealer, Socks5Systemz, Tofsee | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.620502489784953 |
| TrID: |
|
| File name: | file.exe |
| File size: | 1'582'080 bytes |
| MD5: | d0c0e2b8cdcf7891093e828326fc7240 |
| SHA1: | 82d4bc2c660c5853818925351b1f01a4933755a3 |
| SHA256: | 4ef46582ae95f961c0a0af8262de20681d9fc34ab18ead54a634448c077fd82d |
| SHA512: | 35033dddd0ed3ebb292be5e3eb1f01f116b71ff63cf03efdf069be081bb58c7582f9ab0756184905db6050c462197f40fdedee67436c8952edf23a24301723df |
| SSDEEP: | 24576:sFtBhmrPJpYSHCLuc/NQXzwX6pYPq50IkyXzwX6pYPq50Ik:Qfo6NfXMYPqEXMYPq |
| TLSH: | 8C75D02A519192DAF5D544B37A89A290B023F673873D1FEF80F4E3252547EE40B3E71A |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...gA.g.........."......|.....................@.....................................;....`........................................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x14009a188 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67F94167 [Fri Apr 11 16:20:55 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | a898adc0428740dd4fad8431feafaf7a |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F0B38C19150h |
| dec eax |
| add esp, 28h |
| jmp 00007F0B38C18FBFh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+18h], ebx |
| push ebp |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 30h |
| dec eax |
| mov eax, dword ptr [000310D0h] |
| dec eax |
| mov ebx, 2DDFA232h |
| cdq |
| sub eax, dword ptr [eax] |
| add byte ptr [eax+3Bh], cl |
| ret |
| jne 00007F0B38C191B6h |
| dec eax |
| and dword ptr [ebp+10h], 00000000h |
| dec eax |
| lea ecx, dword ptr [ebp+10h] |
| call dword ptr [0002C042h] |
| dec eax |
| mov eax, dword ptr [ebp+10h] |
| dec eax |
| mov dword ptr [ebp-10h], eax |
| call dword ptr [0002BFACh] |
| mov eax, eax |
| dec eax |
| xor dword ptr [ebp-10h], eax |
| call dword ptr [0002BF98h] |
| mov eax, eax |
| dec eax |
| lea ecx, dword ptr [ebp+18h] |
| dec eax |
| xor dword ptr [ebp-10h], eax |
| call dword ptr [0002C0B8h] |
| mov eax, dword ptr [ebp+18h] |
| dec eax |
| lea ecx, dword ptr [ebp-10h] |
| dec eax |
| shl eax, 20h |
| dec eax |
| xor eax, dword ptr [ebp+18h] |
| dec eax |
| xor eax, dword ptr [ebp-10h] |
| dec eax |
| xor eax, ecx |
| dec eax |
| mov ecx, FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc5d50 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x18c000 | 0x7cb | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xd0000 | 0x31ec | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xdd000 | 0xaa0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xc16c0 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xbb200 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xc6090 | 0x318 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xb7a2e | 0xb7c00 | 95b7b1836694c92f6874e40f5216f1fb | False | 0.514859693877551 | data | 7.049880263957565 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xb9000 | 0x101cc | 0x10200 | 9461490fcd9fdc1d1fb916349bae1ce3 | False | 0.4074309593023256 | OpenPGP Secret Key Version 6 | 4.8837328659943715 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xca000 | 0x5ad8 | 0x2400 | eeed9b9b3929e95e2f9accf23ca9bb80 | False | 0.1616753472222222 | data | 3.921203399253688 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0xd0000 | 0x31ec | 0x3200 | 6cbba02ee6fcebeda3c818e974065395 | False | 0.50171875 | data | 5.792295577943378 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .B5 | 0xd4000 | 0x3229 | 0x3400 | 75cda5ec0badb9868a9b1af833ca345b | False | 0.5454477163461539 | data | 6.940675920308152 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .gxfg | 0xd8000 | 0x1c70 | 0x1e00 | e1645edf2fc209056c11ba2648aac183 | False | 0.41692708333333334 | data | 4.978526138512825 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .retplne | 0xda000 | 0x8c | 0x200 | 8c950f651287cbc1296bcb4e8cd7e990 | False | 0.126953125 | data | 1.050583247971927 | |
| .tls | 0xdb000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| _RDATA | 0xdc000 | 0x1f4 | 0x200 | 4c3192380a3877e08356b066c9690811 | False | 0.541015625 | data | 4.232091808468937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xdd000 | 0xaa0 | 0xc00 | c0d3f84af9e48e1df863556f22715610 | False | 0.4775390625 | data | 5.201784219915228 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .jss | 0xde000 | 0x56e00 | 0x56e00 | bd70ac92ecd7766c044c18639e6beb86 | False | 1.0003259892086331 | data | 7.999496214403847 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .jss | 0x135000 | 0x56e00 | 0x56e00 | bd70ac92ecd7766c044c18639e6beb86 | False | 1.0003259892086331 | data | 7.999496214403847 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x18c000 | 0x7cb | 0x800 | f635ea042fd2036c44cd7e7f38cfd43e | False | 0.4345703125 | data | 4.563754337342242 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x18c0a0 | 0x364 | data | English | United States | 0.4608294930875576 |
| RT_MANIFEST | 0x18c404 | 0x3c7 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.46328852119958636 |
| DLL | Import |
|---|---|
| KERNEL32.dll | AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CreateFileA, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile |
| Description | Data |
|---|---|
| CompanyName | Microsoft Corporation |
| FileDescription | Microsoft HTML Help Executable |
| FileVersion | 10.0.19041.1 (WinBuild.160101.0800) |
| InternalName | HH 1.41 |
| LegalCopyright | Microsoft Corporation. All rights reserved. |
| OriginalFilename | HH.exe |
| ProductName | HTML Help |
| ProductVersion | 10.0.19041.1 |
| Translation | 0x0409 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-04-15T17:56:38.863104+0200 | 2061405 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zestmodp .top) | 1 | 192.168.2.5 | 52140 | 1.1.1.1 | 53 | UDP |
| 2025-04-15T17:56:39.236422+0200 | 2061406 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (zestmodp .top in TLS SNI) | 1 | 192.168.2.5 | 49692 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:39.236422+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49692 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:40.893756+0200 | 2061406 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (zestmodp .top in TLS SNI) | 1 | 192.168.2.5 | 49693 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:40.893756+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49693 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:42.135143+0200 | 2061406 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (zestmodp .top in TLS SNI) | 1 | 192.168.2.5 | 49694 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:42.135143+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49694 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:43.391961+0200 | 2061406 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (zestmodp .top in TLS SNI) | 1 | 192.168.2.5 | 49695 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:43.391961+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49695 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:46.402842+0200 | 2061406 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (zestmodp .top in TLS SNI) | 1 | 192.168.2.5 | 49696 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:46.402842+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49696 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:47.548092+0200 | 2061406 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (zestmodp .top in TLS SNI) | 1 | 192.168.2.5 | 49697 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:47.548092+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49697 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:49.634005+0200 | 2061406 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (zestmodp .top in TLS SNI) | 1 | 192.168.2.5 | 49699 | 104.21.112.1 | 443 | TCP |
| 2025-04-15T17:56:49.634005+0200 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49699 | 104.21.112.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 15, 2025 17:56:28.587171078 CEST | 49676 | 443 | 192.168.2.5 | 20.189.173.14 |
| Apr 15, 2025 17:56:28.893026114 CEST | 49676 | 443 | 192.168.2.5 | 20.189.173.14 |
| Apr 15, 2025 17:56:29.502435923 CEST | 49676 | 443 | 192.168.2.5 | 20.189.173.14 |
| Apr 15, 2025 17:56:29.518093109 CEST | 49672 | 443 | 192.168.2.5 | 204.79.197.203 |
| Apr 15, 2025 17:56:30.705553055 CEST | 49676 | 443 | 192.168.2.5 | 20.189.173.14 |
| Apr 15, 2025 17:56:32.194880009 CEST | 49691 | 80 | 192.168.2.5 | 172.253.124.94 |
| Apr 15, 2025 17:56:32.302314997 CEST | 80 | 49691 | 172.253.124.94 | 192.168.2.5 |
| Apr 15, 2025 17:56:32.302397013 CEST | 49691 | 80 | 192.168.2.5 | 172.253.124.94 |
| Apr 15, 2025 17:56:32.302510977 CEST | 49691 | 80 | 192.168.2.5 | 172.253.124.94 |
| Apr 15, 2025 17:56:32.408955097 CEST | 80 | 49691 | 172.253.124.94 | 192.168.2.5 |
| Apr 15, 2025 17:56:32.409344912 CEST | 80 | 49691 | 172.253.124.94 | 192.168.2.5 |
| Apr 15, 2025 17:56:32.455672026 CEST | 49691 | 80 | 192.168.2.5 | 172.253.124.94 |
| Apr 15, 2025 17:56:33.111825943 CEST | 49676 | 443 | 192.168.2.5 | 20.189.173.14 |
| Apr 15, 2025 17:56:37.925626040 CEST | 49676 | 443 | 192.168.2.5 | 20.189.173.14 |
| Apr 15, 2025 17:56:38.980427027 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:38.980479956 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:38.980581045 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:38.982062101 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:38.982078075 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.127506018 CEST | 49672 | 443 | 192.168.2.5 | 204.79.197.203 |
| Apr 15, 2025 17:56:39.236300945 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.236422062 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.241324902 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.241333961 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.241620064 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.283762932 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.295912027 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.295928955 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.295988083 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883656979 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883709908 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883738041 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883765936 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883794069 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883824110 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883836031 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.883861065 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883877039 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.883896112 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.883933067 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.883939028 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.884452105 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.884493113 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.884500027 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.884515047 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.884551048 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:39.884558916 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:39.924460888 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.029274940 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.029479980 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.029527903 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.029545069 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.029632092 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.029680014 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.029686928 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.029825926 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.029867887 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.029874086 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.029970884 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030014038 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.030019999 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030294895 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030342102 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.030349016 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030447960 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030492067 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.030498028 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030606031 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030651093 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.030657053 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030762911 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.030812979 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.034904003 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.034924984 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.034939051 CEST | 49692 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.034945011 CEST | 443 | 49692 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.642960072 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.643001080 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.643174887 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.643627882 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.643642902 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.893640995 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.893755913 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.895674944 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.895700932 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.895932913 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.897448063 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.897578955 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.897610903 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:40.897682905 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:40.944269896 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:41.554346085 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:41.554662943 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:41.554790020 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:41.555408001 CEST | 49693 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:41.555423975 CEST | 443 | 49693 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:41.873224020 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:41.873269081 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:41.873421907 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:41.873724937 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:41.873737097 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:42.134968996 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:42.135143042 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:42.136706114 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:42.136712074 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:42.137667894 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:42.138935089 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:42.139067888 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:42.139111996 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:42.139206886 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:42.180314064 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:42.919852018 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:42.920034885 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:42.920170069 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:42.920247078 CEST | 49694 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:42.920269012 CEST | 443 | 49694 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:43.127948046 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.128012896 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:43.128093958 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.128500938 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.128518105 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:43.391854048 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:43.391961098 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.393469095 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.393481016 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:43.393811941 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:43.395078897 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.395205975 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.395240068 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:43.395282984 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.395307064 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:43.395318031 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:44.682580948 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:44.682728052 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:44.682843924 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:44.683162928 CEST | 49695 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:44.683180094 CEST | 443 | 49695 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.150789022 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.150830984 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.150955915 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.151350021 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.151360989 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.402647018 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.402842045 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.404508114 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.404520035 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.404771090 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.406246901 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.406367064 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.406392097 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.980950117 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.981225014 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:46.981308937 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.983359098 CEST | 49696 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:46.983382940 CEST | 443 | 49696 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.288331032 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.288384914 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.288486958 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.288861990 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.288882971 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.533857107 CEST | 49676 | 443 | 192.168.2.5 | 20.189.173.14 |
| Apr 15, 2025 17:56:47.547996998 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.548091888 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.550770998 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.550785065 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.551153898 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.552568913 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.553250074 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.553354025 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.553438902 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.553478956 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.553579092 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.553689003 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.553812981 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.553843975 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.553988934 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.554019928 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.554142952 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.554172039 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.554182053 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.554199934 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.554249048 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.554260969 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.554342031 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.554368019 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.554388046 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.554414034 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.554425955 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.554514885 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.596277952 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:47.596581936 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.596645117 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.596666098 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:47.644268990 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.356161118 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.356306076 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.356355906 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.356615067 CEST | 49697 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.356632948 CEST | 443 | 49697 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.371469021 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.371509075 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.371592999 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.372113943 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.372131109 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.633852959 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.634005070 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.635519981 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.635535955 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.635776043 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:49.637099981 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.637129068 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:49.637173891 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:50.117698908 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:50.117780924 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:50.117831945 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:50.118318081 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:50.118334055 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:50.118349075 CEST | 49699 | 443 | 192.168.2.5 | 104.21.112.1 |
| Apr 15, 2025 17:56:50.118355036 CEST | 443 | 49699 | 104.21.112.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:50.798979998 CEST | 49675 | 443 | 192.168.2.5 | 2.23.227.208 |
| Apr 15, 2025 17:56:50.799026966 CEST | 443 | 49675 | 2.23.227.208 | 192.168.2.5 |
| Apr 15, 2025 17:56:51.100666046 CEST | 49700 | 443 | 192.168.2.5 | 150.171.27.254 |
| Apr 15, 2025 17:56:51.100732088 CEST | 443 | 49700 | 150.171.27.254 | 192.168.2.5 |
| Apr 15, 2025 17:56:51.100826979 CEST | 49700 | 443 | 192.168.2.5 | 150.171.27.254 |
| Apr 15, 2025 17:56:51.116003990 CEST | 49700 | 443 | 192.168.2.5 | 150.171.27.254 |
| Apr 15, 2025 17:56:51.116024017 CEST | 443 | 49700 | 150.171.27.254 | 192.168.2.5 |
| Apr 15, 2025 17:56:51.460371971 CEST | 443 | 49700 | 150.171.27.254 | 192.168.2.5 |
| Apr 15, 2025 17:56:51.460457087 CEST | 49700 | 443 | 192.168.2.5 | 150.171.27.254 |
| Apr 15, 2025 17:57:32.643848896 CEST | 49691 | 80 | 192.168.2.5 | 172.253.124.94 |
| Apr 15, 2025 17:57:32.775161028 CEST | 80 | 49691 | 172.253.124.94 | 192.168.2.5 |
| Apr 15, 2025 17:57:32.775310993 CEST | 49691 | 80 | 192.168.2.5 | 172.253.124.94 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 15, 2025 17:56:32.077457905 CEST | 63793 | 53 | 192.168.2.5 | 1.1.1.1 |
| Apr 15, 2025 17:56:32.185112953 CEST | 53 | 63793 | 1.1.1.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:38.863104105 CEST | 52140 | 53 | 192.168.2.5 | 1.1.1.1 |
| Apr 15, 2025 17:56:38.973393917 CEST | 53 | 52140 | 1.1.1.1 | 192.168.2.5 |
| Apr 15, 2025 17:56:50.800673962 CEST | 51619 | 53 | 192.168.2.5 | 1.1.1.1 |
| Apr 15, 2025 17:56:50.962750912 CEST | 53 | 51619 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 15, 2025 17:56:32.077457905 CEST | 192.168.2.5 | 1.1.1.1 | 0x71e7 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 15, 2025 17:56:38.863104105 CEST | 192.168.2.5 | 1.1.1.1 | 0x50c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Apr 15, 2025 17:56:50.800673962 CEST | 192.168.2.5 | 1.1.1.1 | 0xf9b1 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 15, 2025 17:56:31.452956915 CEST | 1.1.1.1 | 192.168.2.5 | 0x703a | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:31.452956915 CEST | 1.1.1.1 | 192.168.2.5 | 0x703a | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:32.185112953 CEST | 1.1.1.1 | 192.168.2.5 | 0x71e7 | No error (0) | pki-goog.l.google.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:32.185112953 CEST | 1.1.1.1 | 192.168.2.5 | 0x71e7 | No error (0) | 172.253.124.94 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:38.973393917 CEST | 1.1.1.1 | 192.168.2.5 | 0x50c | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:38.973393917 CEST | 1.1.1.1 | 192.168.2.5 | 0x50c | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:38.973393917 CEST | 1.1.1.1 | 192.168.2.5 | 0x50c | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:38.973393917 CEST | 1.1.1.1 | 192.168.2.5 | 0x50c | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:38.973393917 CEST | 1.1.1.1 | 192.168.2.5 | 0x50c | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:38.973393917 CEST | 1.1.1.1 | 192.168.2.5 | 0x50c | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:38.973393917 CEST | 1.1.1.1 | 192.168.2.5 | 0x50c | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:50.962750912 CEST | 1.1.1.1 | 192.168.2.5 | 0xf9b1 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Apr 15, 2025 17:56:51.098282099 CEST | 1.1.1.1 | 192.168.2.5 | 0x92db | No error (0) | ax-9999.ax-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:51.098282099 CEST | 1.1.1.1 | 192.168.2.5 | 0x92db | No error (0) | 150.171.27.254 | A (IP address) | IN (0x0001) | false | ||
| Apr 15, 2025 17:56:51.098282099 CEST | 1.1.1.1 | 192.168.2.5 | 0x92db | No error (0) | 150.171.28.254 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 0 | 192.168.2.5 | 49691 | 172.253.124.94 | 80 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Apr 15, 2025 17:56:32.302510977 CEST | 200 | OUT | |
| Apr 15, 2025 17:56:32.409344912 CEST | 1243 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49692 | 104.21.112.1 | 443 | 8164 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-15 15:56:39 UTC | 261 | OUT | |
| 2025-04-15 15:56:39 UTC | 41 | OUT | |
| 2025-04-15 15:56:39 UTC | 244 | IN | |
| 2025-04-15 15:56:39 UTC | 1125 | IN | |
| 2025-04-15 15:56:39 UTC | 1369 | IN | |
| 2025-04-15 15:56:39 UTC | 1369 | IN | |
| 2025-04-15 15:56:39 UTC | 1369 | IN | |
| 2025-04-15 15:56:39 UTC | 1369 | IN | |
| 2025-04-15 15:56:39 UTC | 1369 | IN | |
| 2025-04-15 15:56:39 UTC | 1369 | IN | |
| 2025-04-15 15:56:39 UTC | 1369 | IN | |
| 2025-04-15 15:56:39 UTC | 211 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49693 | 104.21.112.1 | 443 | 8164 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-15 15:56:40 UTC | 273 | OUT | |
| 2025-04-15 15:56:40 UTC | 14883 | OUT | |
| 2025-04-15 15:56:41 UTC | 264 | IN | |
| 2025-04-15 15:56:41 UTC | 76 | IN | |
| 2025-04-15 15:56:41 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49694 | 104.21.112.1 | 443 | 8164 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-15 15:56:42 UTC | 269 | OUT | |
| 2025-04-15 15:56:42 UTC | 15012 | OUT | |
| 2025-04-15 15:56:42 UTC | 264 | IN | |
| 2025-04-15 15:56:42 UTC | 76 | IN | |
| 2025-04-15 15:56:42 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49695 | 104.21.112.1 | 443 | 8164 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-15 15:56:43 UTC | 277 | OUT | |
| 2025-04-15 15:56:43 UTC | 15331 | OUT | |
| 2025-04-15 15:56:43 UTC | 5210 | OUT | |
| 2025-04-15 15:56:44 UTC | 264 | IN | |
| 2025-04-15 15:56:44 UTC | 76 | IN | |
| 2025-04-15 15:56:44 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49696 | 104.21.112.1 | 443 | 8164 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-15 15:56:46 UTC | 278 | OUT | |
| 2025-04-15 15:56:46 UTC | 2354 | OUT | |
| 2025-04-15 15:56:46 UTC | 264 | IN | |
| 2025-04-15 15:56:46 UTC | 76 | IN | |
| 2025-04-15 15:56:46 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49697 | 104.21.112.1 | 443 | 8164 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-15 15:56:47 UTC | 270 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:47 UTC | 15331 | OUT | |
| 2025-04-15 15:56:49 UTC | 264 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49699 | 104.21.112.1 | 443 | 8164 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-15 15:56:49 UTC | 261 | OUT | |
| 2025-04-15 15:56:49 UTC | 79 | OUT | |
| 2025-04-15 15:56:50 UTC | 241 | IN | |
| 2025-04-15 15:56:50 UTC | 43 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:56:31 |
| Start date: | 15/04/2025 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff706c30000 |
| File size: | 1'582'080 bytes |
| MD5 hash: | D0C0E2B8CDCF7891093E828326FC7240 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 11:56:34 |
| Start date: | 15/04/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xff0000 |
| File size: | 262'432 bytes |
| MD5 hash: | 8FDF47E0FF70C40ED3A17014AEEA4232 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |