Edit tour
Windows
Analysis Report
NativeApp_G5L1NHZZ.exe
Overview
General Information
| Sample name: | NativeApp_G5L1NHZZ.exe |
| Analysis ID: | 1577286 |
| MD5: | d1d6a581049df18ac3b675230e04311b |
| SHA1: | 93cca2d736bdcc73f6792901c029bb2ce686d8a0 |
| SHA256: | 380920dfcdec5d7704ad1af1ce35feba7c3af1b68ffa4588b734647f28eeabb7 |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Bypasses PowerShell execution policy
Drops PE files with a suspicious file extension
Drops large PE files
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
NativeApp_G5L1NHZZ.exe (PID: 5548 cmdline: "C:\Users\ user\Deskt op\NativeA pp_G5L1NHZ Z.exe" MD5: D1D6A581049DF18AC3B675230E04311B) - ProtonEditor.exe (PID: 4072 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2pgSv0v lYhhdpvvGy tqrA5IvWzH \ProtonEdi tor.exe MD5: 1CD5781EFBCF327826A48CD866800010) 
cmd.exe (PID: 5900 cmdline: C:\Windows \system32\ cmd.exe /d /s /c "ch cp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chcp.com (PID: 5640 cmdline: chcp MD5: 33395C4732A49065EA72590B14B64F32) - ProtonEditor.exe (PID: 5228 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2pgSv0 vlYhhdpvvG ytqrA5IvWz H\ProtonEd itor.exe" --type=gpu -process - -user-data -dir="C:\U sers\user\ AppData\Ro aming\evfg tisrmbmqfi ex" --gpu- preference s=UAAAAAAA AADgAAAYAA AAAAAAAAAA AAAAAABgAA AAAAAwAAAA AAAAAAAAAA AQAAAAAAAA AAAAAAAAAA AAAAAAABgA AAAAAAAAGA AAAAAAAAAI AAAAAAAAAA gAAAAAAAAA CAAAAAAAAA A= --mojo- platform-c hannel-han dle=1832 - -field-tri al-handle= 1836,i,296 6728607677 488285,165 8894201875 8611239,13 1072 --dis able-featu res=SpareR endererFor SitePerPro cess,WinRe trieveSugg estionsOnl yOnDemand /prefetch: 2 MD5: 1CD5781EFBCF327826A48CD866800010) - ProtonEditor.exe (PID: 3948 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2pgSv0 vlYhhdpvvG ytqrA5IvWz H\ProtonEd itor.exe" --type=uti lity --uti lity-sub-t ype=networ k.mojom.Ne tworkServi ce --lang= en-GB --se rvice-sand box-type=n one --user -data-dir= "C:\Users\ user\AppDa ta\Roaming \evfgtisrm bmqfiex" - -mojo-plat form-chann el-handle= 2120 --fie ld-trial-h andle=1836 ,i,2966728 6076774882 85,1658894 2018758611 239,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:8 MD5: 1CD5781EFBCF327826A48CD866800010) - cmd.exe (PID: 1864 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "ec ho %COMPUT ERNAME%.%U SERDNSDOMA IN%" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5840 cmdline: powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5460 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4416 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7528 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "fi ndstr /C:" Detected b oot enviro nment" "%w indir%\Pan ther\setup act.log"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - findstr.exe (PID: 7576 cmdline:
findstr /C :"Detected boot envi ronment" " C:\Windows \Panther\s etupact.lo g" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - powershell.exe (PID: 7592 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7600 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7636 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7628 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7664 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7644 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7656 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7728 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7672 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7688 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7264 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7612 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8164 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7972 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5080 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8176 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 744 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7800 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7700 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8060 cmdline:
powershell .exe -NoPr ofile -NoL ogo -Input Format Tex t -NoExit -Execution Policy Unr estricted -Command - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7832 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7652 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c ""C :\Users\us er\AppData \Local\Tem p\FBjp1YLF 5OVM30rhnV \CnnCylind er.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
CnnCylinder.exe (PID: 7800 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\FBjp1Y LF5OVM30rh nV\CnnCyli nder.exe" MD5: 64488E190C4A6A5A693CF0CE5A5516A2) - cmd.exe (PID: 8044 cmdline:
"C:\Window s\System32 \cmd.exe" /c copy Fi nally Fina lly.cmd && Finally.c md MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7872 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7620 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 8156 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6608 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7700 cmdline:
cmd /c md 69564 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 7900 cmdline:
findstr /V "custodym atchesfaci ngzope" Ec MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 8024 cmdline:
cmd /c cop y /b ..\Fl ow + ..\Pa yable + .. \Qualifica tions + .. \Particula r + ..\Gen erous + .. \Conclusio ns + ..\Bl eeding X MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Style.com (PID: 8004 cmdline: Style.com X MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11) - Style.com (PID: 8184 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\69564\S tyle.com MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11) - choice.exe (PID: 7948 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4) - cmd.exe (PID: 5480 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c "po wershell - ExecutionP olicy Bypa ss -File " C:\Users\u ser\AppDat a\Local\Te mp\FBjp1YL F5OVM30rhn V\specreal .ps1"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8104 cmdline:
powershell -Executio nPolicy By pass -File "C:\Users \user\AppD ata\Local\ Temp\FBjp1 YLF5OVM30r hnV\specre al.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) - ProtonEditor.exe (PID: 7728 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\2pgSv0 vlYhhdpvvG ytqrA5IvWz H\ProtonEd itor.exe" --type=gpu -process - -disable-g pu-sandbox --use-gl= disabled - -gpu-vendo r-id=5140 --gpu-devi ce-id=140 --gpu-sub- system-id= 0 --gpu-re vision=0 - -gpu-drive r-version= 10.0.19041 .546 --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\evfgtisr mbmqfiex" --gpu-pref erences=UA AAAAAAAADo AAAYAAAAAA AAAAAAAAAA AABgAAAAAA AwAAAAAAAA AAAAAACQAA AAAAAAAAAA AAAAAAAAAA AAABgAAAAA AAAAGAAAAA AAAAAIAAAA AAAAAAgAAA AAAAAACAAA AAAAAAA= - -mojo-plat form-chann el-handle= 1104 --fie ld-trial-h andle=1836 ,i,2966728 6076774882 85,1658894 2018758611 239,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:2 MD5: 1CD5781EFBCF327826A48CD866800010)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: frack113: | ||
| Source: | Author: _pete_0, TheDFIRReport: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T11:06:46.911948+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49989 | 172.67.146.77 | 443 | TCP |
| 2024-12-18T11:06:49.328541+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49990 | 172.67.146.77 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T11:06:48.872966+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49989 | 172.67.146.77 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T11:06:48.872966+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49989 | 172.67.146.77 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T11:05:52.599221+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.5 | 49969 | 185.117.73.246 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||