Windows
Analysis Report
nanophanotool.exe
Overview
General Information
Detection
LummaC Stealer
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Drops large PE files
Loading BitLocker PowerShell Module
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
nanophanotool.exe (PID: 7684 cmdline:
"C:\Users\ user\Deskt op\nanopha notool.exe " MD5: 6AE17B0BDDDA685EAA622CEF4BA2E805) NanoTool.exe (PID: 7936 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2pwUVUf AxOaiNAaY4 2by6gNEjEK \NanoTool. exe MD5: 879FC7D89F422B0CF9172FDE5F5F207F) dllhost.exe (PID: 7948 cmdline:
C:\Windows \system32\ DllHost.ex e /Process id:{AB8902 B4-09CA-4B B6-B78D-A8 F59079A8D5 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) cmd.exe (PID: 7332 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ch cp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) chcp.com (PID: 7432 cmdline:
chcp MD5: 33395C4732A49065EA72590B14B64F32) NanoTool.exe (PID: 4488 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2pwUVU fAxOaiNAaY 42by6gNEjE K\NanoTool .exe" --ty pe=gpu-pro cess --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\dkqjnjum skmeurhg" --gpu-pref erences=UA AAAAAAAADg AAAYAAAAAA AAAAAAAAAA AABgAAAAAA AwAAAAAAAA AAAAAAAQAA AAAAAAAAAA AAAAAAAAAA AAABgAAAAA AAAAGAAAAA AAAAAIAAAA AAAAAAgAAA AAAAAACAAA AAAAAAA= - -mojo-plat form-chann el-handle= 1828 --fie ld-trial-h andle=1832 ,i,1021977 0729751664 883,751249 5620751718 441,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:2 MD5: 879FC7D89F422B0CF9172FDE5F5F207F) NanoTool.exe (PID: 3400 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2pwUVU fAxOaiNAaY 42by6gNEjE K\NanoTool .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-G B --servic e-sandbox- type=none --user-dat a-dir="C:\ Users\user \AppData\R oaming\dkq jnjumskmeu rhg" --moj o-platform -channel-h andle=2112 --field-t rial-handl e=1832,i,1 0219770729 751664883, 7512495620 751718441, 131072 --d isable-fea tures=Spar eRendererF orSitePerP rocess,Win RetrieveSu ggestionsO nlyOnDeman d /prefetc h:8 MD5: 879FC7D89F422B0CF9172FDE5F5F207F) cmd.exe (PID: 6036 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ec ho %COMPUT ERNAME%.%U SERDNSDOMA IN%" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 4948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 4956 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 4192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7368 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 2800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 2000 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 3060 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "fi ndstr /C:" Detected b oot enviro nment" "%w indir%\Pan ther\setup act.log"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 4564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) findstr.exe (PID: 8092 cmdline:
findstr /C :"Detected boot envi ronment" " C:\Windows \Panther\s etupact.lo g" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) powershell.exe (PID: 8096 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 8048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 8068 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 1236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 8064 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7392 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 2364 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7472 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 8108 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7044 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 8100 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 8084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 4364 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 2212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7332 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7460 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 8020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 6720 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 5472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 8104 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7948 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 2504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 1700 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 8060 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7360 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) NanoTool.exe (PID: 3204 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2pwUVU fAxOaiNAaY 42by6gNEjE K\NanoTool .exe" --ty pe=gpu-pro cess --dis able-gpu-s andbox --u se-gl=disa bled --gpu -vendor-id =5140 --gp u-device-i d=140 --gp u-sub-syst em-id=0 -- gpu-revisi on=0 --gpu -driver-ve rsion=10.0 .19041.546 --user-da ta-dir="C: \Users\use r\AppData\ Roaming\dk qjnjumskme urhg" --gp u-preferen ces=UAAAAA AAAADoAAAY AAAAAAAAAA AAAAAAAABg AAAAAAAwAA AAAAAAAAAA AACQAAAAAA AAAAAAAAAA AAAAAAAAAB gAAAAAAAAA GAAAAAAAAA AIAAAAAAAA AAgAAAAAAA AACAAAAAAA AAA= --moj o-platform -channel-h andle=1816 --field-t rial-handl e=1832,i,1 0219770729 751664883, 7512495620 751718441, 131072 --d isable-fea tures=Spar eRendererF orSitePerP rocess,Win RetrieveSu ggestionsO nlyOnDeman d /prefetc h:2 MD5: 879FC7D89F422B0CF9172FDE5F5F207F) cmd.exe (PID: 8028 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c ""C :\Users\us er\AppData \Local\Tem p\a2b8HYTv UJvaL2CBHF \RepublicC hoir.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 916 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) RepublicChoir.exe (PID: 4464 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\a2b8HY TvUJvaL2CB HF\Republi cChoir.exe " MD5: 1676B926564776E931EB4126D09E79A6) cmd.exe (PID: 3684 cmdline:
"C:\Window s\System32 \cmd.exe" /c copy En ters Enter s.cmd && E nters.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 7384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) tasklist.exe (PID: 7772 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) findstr.exe (PID: 1508 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) tasklist.exe (PID: 4628 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) findstr.exe (PID: 6020 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) cmd.exe (PID: 7448 cmdline:
cmd /c md 254268 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) findstr.exe (PID: 7612 cmdline:
findstr /V "DarkPris onIncRange BathsPrese ntedBuckSu rely" Phot ograph MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) cmd.exe (PID: 7456 cmdline:
cmd /c cop y /b ..\Sc reen + ..\ Laugh + .. \Ceo + ..\ Nc + ..\An ticipated + ..\Uh + ..\Negativ e p MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) Ford.com (PID: 3068 cmdline:
Ford.com p MD5: 62D09F076E6E0240548C2F837536A46A) choice.exe (PID: 7328 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
System Summary |
---|
Source: | Author: frack113: |
Source: | Author: _pete_0, TheDFIRReport: |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-10T10:19:54.713414+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49973 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:19:56.743218+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49979 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:19:58.907836+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49985 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:20:01.351317+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49991 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:20:03.402190+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49997 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:20:05.759691+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50003 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:20:08.341833+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50009 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:20:12.615690+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 50020 | 172.67.163.8 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-10T10:19:55.485439+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49973 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:19:57.475638+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49979 | 172.67.163.8 | 443 | TCP |
2024-12-10T10:20:13.356785+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 50020 | 172.67.163.8 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-10T10:19:55.485439+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49973 | 172.67.163.8 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-10T10:19:57.475638+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49979 | 172.67.163.8 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-10T10:20:06.776654+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 50003 | 172.67.163.8 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |