Edit tour
Windows
Analysis Report
CapCut_12.0.4_Installer.exe
Overview
General Information
| Sample name: | CapCut_12.0.4_Installer.exe |
| Analysis ID: | 1576947 |
| MD5: | 8a671a1eea06778b362ba71f6ba06814 |
| SHA1: | 18e6e016a7f3f463b73f1a5bb5209b48f6d24ed9 |
| SHA256: | 3a571ea16c1d311ca9b2c914a85726a8cd0bb4f7b0b64d8c1692df59468907ce |
| Tags: | exeuser-SquiblydooBlog |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 81 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Drops large PE files
Loading BitLocker PowerShell Module
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
CapCut_12.0.4_Installer.exe (PID: 7120 cmdline: "C:\Users\ user\Deskt op\CapCut_ 12.0.4_Ins taller.exe " MD5: 8A671A1EEA06778B362BA71F6BA06814) - PhilipinessAvia Application.exe (PID: 6448 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2q4oXT q4j47YyejO 9rcdlV9grg w\Philipin essAvia Ap plication. exe" MD5: 13A330AD06FA31614522A0680888B16C) 
cmd.exe (PID: 4828 cmdline: C:\Windows \system32\ cmd.exe /d /s /c "ch cp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chcp.com (PID: 5744 cmdline: chcp MD5: 33395C4732A49065EA72590B14B64F32) - PhilipinessAvia Application.exe (PID: 1104 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2q4oXT q4j47YyejO 9rcdlV9grg w\Philipin essAvia Ap plication. exe" --typ e=gpu-proc ess --user -data-dir= "C:\Users\ user\AppDa ta\Roaming \poikfwdnm yoitatx" - -gpu-prefe rences=UAA AAAAAAADgA AAYAAAAAAA AAAAAAAAAA ABgAAAAAAA wAAAAAAAAA AAAAAAQAAA AAAAAAAAAA AAAAAAAAAA AABgAAAAAA AAAGAAAAAA AAAAIAAAAA AAAAAgAAAA AAAAACAAAA AAAAAA= -- mojo-platf orm-channe l-handle=1 968 --fiel d-trial-ha ndle=1972, i,14616455 3611469008 67,1487704 3599526549 11,131072 --disable- features=S pareRender erForSiteP erProcess, WinRetriev eSuggestio nsOnlyOnDe mand /pref etch:2 MD5: 13A330AD06FA31614522A0680888B16C) - PhilipinessAvia Application.exe (PID: 2828 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2q4oXT q4j47YyejO 9rcdlV9grg w\Philipin essAvia Ap plication. exe" --typ e=utility --utility- sub-type=n etwork.moj om.Network Service -- lang=en-GB --service -sandbox-t ype=none - -user-data -dir="C:\U sers\user\ AppData\Ro aming\poik fwdnmyoita tx" --mojo -platform- channel-ha ndle=2136 --field-tr ial-handle =1972,i,14 6164553611 46900867,1 4877043599 52654911,1 31072 --di sable-feat ures=Spare RendererFo rSitePerPr ocess,WinR etrieveSug gestionsOn lyOnDemand /prefetch :8 MD5: 13A330AD06FA31614522A0680888B16C) - cmd.exe (PID: 2516 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ec ho %COMPUT ERNAME%.%U SERDNSDOMA IN%" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4884 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5640 cmdline: powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6544 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1196 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5780 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "fi ndstr /C:" Detected b oot enviro nment" "%w indir%\Pan ther\setup act.log"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2308 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - findstr.exe (PID: 2416 cmdline:
findstr /C :"Detected boot envi ronment" " C:\Windows \Panther\s etupact.lo g" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - powershell.exe (PID: 1700 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2140 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4296 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5228 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4956 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5088 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5640 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2044 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1620 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7648 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7800 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7920 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7928 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7944 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7972 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7988 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8028 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8020 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8060 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7504 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c ""C :\Users\us er\AppData \Local\Tem p\ZMqHMFIn p3s7BH2HI7 \ThemCiao. exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
ThemCiao.exe (PID: 7664 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\ZMqHMF Inp3s7BH2H I7\ThemCia o.exe" MD5: 2783F1199571BC172AA55EC4B0846490) - cmd.exe (PID: 7724 cmdline:
"C:\Window s\System32 \cmd.exe" /c copy Br ight Brigh t.cmd & cd & Bright. cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7684 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7656 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 5168 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 4592 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7840 cmdline:
cmd /c md 530420 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 7872 cmdline:
findstr /V "Autos" P upils MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7860 cmdline:
cmd /c cop y /b ..\Re alty + ..\ Toys + ..\ Ja + ..\Ti tans + ..\ Victoria + ..\Health y q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Classes.com (PID: 7900 cmdline: Classes.co m q MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 7832 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4) - PhilipinessAvia Application.exe (PID: 7244 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2q4oXT q4j47YyejO 9rcdlV9grg w\Philipin essAvia Ap plication. exe" --typ e=gpu-proc ess --disa ble-gpu-sa ndbox --us e-gl=disab led --gpu- vendor-id= 5140 --gpu -device-id =140 --gpu -sub-syste m-id=0 --g pu-revisio n=0 --gpu- driver-ver sion=10.0. 19041.546 --user-dat a-dir="C:\ Users\user \AppData\R oaming\poi kfwdnmyoit atx" --gpu -preferenc es=UAAAAAA AAADoAAAYA AAAAAAAAAA AAAAAAABgA AAAAAAwAAA AAAAAAAAAA ACQAAAAAAA AAAAAAAAAA AAAAAAAABg AAAAAAAAAG AAAAAAAAAA IAAAAAAAAA AgAAAAAAAA ACAAAAAAAA AA= --mojo -platform- channel-ha ndle=1124 --field-tr ial-handle =1972,i,14 6164553611 46900867,1 4877043599 52654911,1 31072 --di sable-feat ures=Spare RendererFo rSitePerPr ocess,WinR etrieveSug gestionsOn lyOnDemand /prefetch :2 MD5: 13A330AD06FA31614522A0680888B16C)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113: | ||
| Source: | Author: _pete_0, TheDFIRReport: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-17T18:54:10.684611+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49895 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:12.632329+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49901 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:14.983703+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49907 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:17.451106+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49914 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:20.048876+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49921 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:22.261782+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49927 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:24.558180+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49933 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:28.181520+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49943 | 104.21.2.110 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-17T18:54:11.402138+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49895 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:13.495801+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49901 | 104.21.2.110 | 443 | TCP |
| 2024-12-17T18:54:29.198237+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49943 | 104.21.2.110 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-17T18:54:11.402138+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49895 | 104.21.2.110 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-17T18:54:13.495801+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49901 | 104.21.2.110 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-17T18:54:22.995459+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49927 | 104.21.2.110 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||