Windows
Analysis Report
Wine.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Wine.exe (PID: 2684 cmdline:
"C:\Users\ user\Deskt op\Wine.ex e" MD5: 53DE93968FDA3933233DF112FF5884A0) - cmd.exe (PID: 2680 cmdline:
"C:\Window s\System32 \cmd.exe" /c copy Re gards Rega rds.cmd && Regards.c md MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 1892 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6656 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 1532 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 2804 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 6692 cmdline:
cmd /c md 63933 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 2132 cmdline:
findstr /V "FLOYD" B enefits MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 2364 cmdline:
cmd /c cop y /b ..\Ad a + ..\Pac + ..\Hidd en + ..\Mu rder + ..\ Billy + .. \Tree U MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Compare.com (PID: 4120 cmdline:
Compare.co m U MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 180 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["diffuculttan.xyz", "immureprech.biz", "debonairnukk.xyz", "sordid-snaked.cyou", "awake-weaves.cyou", "tacitglibbr.biz", "effecterectz.xyz", "wrathful-jammy.cyou", "deafeninggeh.biz"], "Build id": "BVnUqo--@enjoyerkomaru"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:20:26.254241+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:28.262201+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:31.040274+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49743 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:33.223141+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49749 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:35.671264+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49755 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:38.087207+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49766 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:40.548814+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49772 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:44.607860+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49783 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:20:27.001490+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:29.052795+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:20:27.001490+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:20:29.052795+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:20:26.254241+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:28.262201+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:31.040274+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49743 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:33.223141+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49749 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:35.671264+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49755 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:38.087207+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49766 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:40.548814+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49772 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:44.607860+0100 | 2058231 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49783 | 104.21.50.161 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:20:24.625735+0100 | 2058230 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 59310 | 1.1.1.1 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:20:38.846547+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49766 | 104.21.50.161 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Directory queried: |
Source: | Code function: | 0_2_00406301 | |
Source: | Code function: | 0_2_00406CC7 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_004050F9 |
Source: | Code function: | 0_2_004044D1 |
Source: | Code function: | 0_2_004038AF |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_0040737E | |
Source: | Code function: | 0_2_00406EFE | |
Source: | Code function: | 0_2_004079A2 | |
Source: | Code function: | 0_2_004049A8 |
Source: | Dropped File: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_004044D1 |
Source: | Code function: | 0_2_004024FB |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Process created: |
Source: | Window detected: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00406328 |
Source: | Static PE information: |
Source: | Code function: | 11_3_0441F00A | |
Source: | Code function: | 11_3_0441AE2B | |
Source: | Code function: | 11_3_0441F631 | |
Source: | Code function: | 11_3_0441AEDB | |
Source: | Code function: | 11_3_0441BF80 | |
Source: | Code function: | 11_3_0441AD50 | |
Source: | Code function: | 11_3_0441BF80 | |
Source: | Code function: | 11_3_0441BF80 | |
Source: | Code function: | 11_3_0442CA22 | |
Source: | Code function: | 11_3_0442E9B0 | |
Source: | Code function: | 11_3_0440CF08 | |
Source: | Code function: | 11_3_04408A09 | |
Source: | Code function: | 11_3_04408C8C | |
Source: | Code function: | 11_3_0440E39D | |
Source: | Code function: | 11_3_04408FB7 |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | Last function: |
Source: | Code function: | 0_2_00406301 | |
Source: | Code function: | 0_2_00406CC7 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00406328 |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00406831 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | WMI Queries: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Source: | Directory queried: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 21 Windows Management Instrumentation | 1 DLL Side-Loading | 12 Process Injection | 11 Masquerading | 2 OS Credential Dumping | 121 Security Software Discovery | Remote Services | 11 Input Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | 11 Input Capture | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 PowerShell | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Deobfuscate/Decode Files or Information | NTDS | 23 File and Directory Discovery | Distributed Component Object Model | 1 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 25 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
55% | ReversingLabs | Win32.Trojan.Generic | ||
66% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
tacitglibbr.biz | 104.21.50.161 | true | false | high | |
JbrLSRvmUifhFvHfsTCSko.JbrLSRvmUifhFvHfsTCSko | unknown | unknown | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | unknown | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false | high | |||
false | unknown | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.21.50.161 | tacitglibbr.biz | United States | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1579568 |
Start date and time: | 2024-12-23 01:19:05 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 14s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Wine.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@22/23@2/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Compare.com, PID 4120 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryDirectoryFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Time | Type | Description |
---|---|---|
19:19:56 | API Interceptor | |
19:20:25 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.21.50.161 | Get hash | malicious | LummaC | Browse | ||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC, Stealc | Browse | |||
Get hash | malicious | LummaC, Stealc | Browse | |||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
tacitglibbr.biz | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC, Stealc | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, Xmrig | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC, Stealc | Browse |
| ||
Get hash | malicious | LummaC, Stealc | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Babadeda | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Babadeda | Browse |
| ||
Get hash | malicious | Babadeda | Browse |
| ||
Get hash | malicious | LummaC, DarkComet, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
Get hash | malicious | LummaC, DarkComet, LummaC Stealer, Vidar | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\63933\Compare.com | Get hash | malicious | LummaC | Browse | ||
Get hash | malicious | Vidar | Browse | |||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC Stealer | Browse | |||
Get hash | malicious | LummaC Stealer | Browse | |||
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig | Browse | |||
Get hash | malicious | LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig | Browse | |||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, Vidar, Xmrig | Browse |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 947288 |
Entropy (8bit): | 6.630612696399572 |
Encrypted: | false |
SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
MD5: | 62D09F076E6E0240548C2F837536A46A |
SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 480246 |
Entropy (8bit): | 7.999561721472244 |
Encrypted: | true |
SSDEEP: | 12288:3UWjRupxXr49yr1a3dLT+si0OACj1YnRzUfc6PIYUmdjEYDX8ZNvfn:fRupFr49H3dLT+L0Od5KzUE6QYDIYDs/ |
MD5: | 9DDBC6F3C0992B62CAE004A83523FA4F |
SHA1: | ABA36E7A19F0194AEAEB513845FF3524D47115CF |
SHA-256: | 5D3B6FB7AD2684DE36A7E35AB0007665661F419F59EEEA23AF227FDD69E23D55 |
SHA-512: | F6A08A8D8264C658AA8E753F2FBD022EFF78B11FAF82458183C97E88EB3B7E92AD8FB2D95977A81F2D744FB147513B21F07A8F57389F45BE98C1B320BC87167D |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 87040 |
Entropy (8bit): | 7.997928489731772 |
Encrypted: | true |
SSDEEP: | 1536:6mp3ciM1VigkmVGcEdJJPjoeuofG7th8LAxWXc0IYBNfsKIkEo47D1x39svQKqnI:5p3kVQmocAPPjoenuZh8sxxFYBug3Wh2 |
MD5: | 572765E3533D7EDF424941F84889C7FB |
SHA1: | 172192B1443476F3A67979045947D254A96AD28C |
SHA-256: | 447DD3DDEABE2EE7A5EB1134FA09A7B3CE28F9F23C50E863CA3CD48D983CF87E |
SHA-512: | 2E0A1EB73C49A0948D899AD6D63CDF383EC3FB1EB34F88067062F2CF2D7AAE161B3ADA18093CCEC7F7A16877CCFD4F1377DFE46ED0FD281CD57C6C2CA7D7D746 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 125952 |
Entropy (8bit): | 6.345543142186426 |
Encrypted: | false |
SSDEEP: | 3072:lZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWfe:lK5vPeDkjGgQaE/loUDtfe |
MD5: | AC8E53279C542FB983FF32BE08887477 |
SHA1: | 2A3DB44F11F2C759D24E44DC907E40CCF91F0BDF |
SHA-256: | 5220BDB2FEF7452BE3CD0B3B1D62A525660A35710CE27644FE72454DDD020BCC |
SHA-512: | 90EA81BEA63D9EE78DB41631053B477F732791907CEDCFB3794F62331412A5D954DF8422A3D201A1C7D1C69928795CB4DE99C76933E8E772EBCA4F76FE287766 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1828 |
Entropy (8bit): | 4.78962465581066 |
Encrypted: | false |
SSDEEP: | 24:GyGS9PvCA433C+sCNC1skNkvQfhSHQU2L55e1yb/uBx39lt6DhBhhB4+JvU1SX6A:b9n9mTsCNvEQH5O5U1nPKrhBzM1m |
MD5: | 558727433B13C0E50C574240F6BA47C6 |
SHA1: | 3C94F3820A2E9003E5ECC024240225EF337FFDAD |
SHA-256: | 372CEF0CB2DD963FF4400D53757D26330D704174F42BEE2672F7BD023C473980 |
SHA-512: | 9D4D0AF01BCA6BBF4B62D587355453B110FDD93BD1BF475A016CDC3F48FFB5745672CC04370A6A27CF4289896AA6EC18F416CA583C0FAD09105896A896F5B3FC |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 71680 |
Entropy (8bit): | 7.997530216453748 |
Encrypted: | true |
SSDEEP: | 1536:VMomLmtWt3Kw2Qt695Q9nz/ffX9S3AGJ2S4v7u13VXYEC7bJ8teb:VFmLmtWadjuznfX9yhCv7KlX3sbVb |
MD5: | A3843F499291980BC0AA44677B2DDE67 |
SHA1: | 21D766D0F1D82560889514D9F435D849BE0C9809 |
SHA-256: | 94FD435C86E9A3A96F9CF24D3647C22C0C2BC59F6F2A7E5459CF42A856939E16 |
SHA-512: | D981AAA0FFD7AE4DD7E44C5E64371C2C9C3D9B70729282E68965841225F413C4BF98F4457F4B860C5742207DA1A9C20C7CFBB53C16488149C92484973D845DFC |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 18745 |
Entropy (8bit): | 7.3490232963827635 |
Encrypted: | false |
SSDEEP: | 384:Dhbn929MwO/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:DFuO/ChgZ45VatJVEV3GPkjF |
MD5: | B1424BA46B55C44B8B6A863813D76084 |
SHA1: | A773B48B51E639477848D7E34C536A1D1AE28213 |
SHA-256: | 598C4F845DD14984A8D883120C40021A9276E4EB1C6E4B9EEC7A01F7A61BF27E |
SHA-512: | 7FFBE088DC2B601B042C87446CF12CB3A7A955EFC780432A84E6A7880777714DD8CF347A424944F037F140F2455C5F6153AEBEF6846051CEA25EE266AD72C287 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 62464 |
Entropy (8bit): | 6.560274727342203 |
Encrypted: | false |
SSDEEP: | 1536:uaynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrE:uVnBypIbv18mLthfhnueoMmOk |
MD5: | 14EC61EC00A2BFE96034A7FBDFE07EAB |
SHA1: | C80F99C4F300A91335911BE2E8AFD2609E6AF1D4 |
SHA-256: | F589D7B08B87BD1955F1C87B8DA10187E6E583B6C0C8184E547A2B04C0ADEFAC |
SHA-512: | 3398428E6169823E7ECFF9D1E3D9BDD13FBE0B00A2D857C3F3C63A0B71BC75F4B2E82738AB6989F6FE6D67CD2BAA74CF30C708A76399730460102817AC251DD3 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 66560 |
Entropy (8bit): | 3.8288397714489464 |
Encrypted: | false |
SSDEEP: | 768:XqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3EYr8l:Xj6iTcPAsAhxjgarB/5el3EYr0 |
MD5: | 023697FE11A98DA9B784C5D79DF67271 |
SHA1: | 783F0773E94F8C31133CB437A318A89D199082B0 |
SHA-256: | ADAF981F6187DBB7C0089039D1E316BDD43CDBC83AE88CE100B322E610C64E61 |
SHA-512: | 45EBAE92D5709CB9C140D442B97EB0FDC64E837F0FCA911A489B9B32A4F650DA2F329223410DEEDD6961057CD50E0501CC7252B270020012148A3C44AD8DD7CD |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 99328 |
Entropy (8bit): | 7.99821677894635 |
Encrypted: | true |
SSDEEP: | 1536:OSb6Pirf7brPQEBlcUKgvoIk97Pl6/HosWGShLHip0IBIpizwq0KPEmJTeqbUBKz:OMLj7brGmvJk97tzOACGI2mB7pJ6qbYo |
MD5: | D1257688E6E845C4B354D7F7BF9E62B5 |
SHA1: | A3D736D4CCF6D711F75DDA29E61C369DB41F1787 |
SHA-256: | 2F182BE17BFBC7F5539153E93B17F12935FCBBAB3F2CBC4B43C2710A20531E8E |
SHA-512: | 6C6B4DCD7836BCCD9FB00C17BD225C1FDDF68A914D486B07123BD004FE73C206675C2FBF113BCD63A9A301D2793E3A3F353280E1C852267E56D06CD1F2561441 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 119808 |
Entropy (8bit): | 6.361723922745879 |
Encrypted: | false |
SSDEEP: | 3072:fDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz0r:WO5bLezWWt/Dd314V14ZgP0JaAOz0r |
MD5: | 84F86AAFC5B60874096506BEB0495562 |
SHA1: | AA0BC8D60DF328D1FFF514CEE20666C6569E00D7 |
SHA-256: | 6D0A88AE29D79FC9339FFBFDF4ACD775E4A1FC7E8A361A3E2BBB3AE8B3EA11BA |
SHA-512: | 389D65609738D36FB3A83F1B5F5451D17AF33881B36C8326EB7F0A1B6B0690852277F107BB27AD245AA4F690352D96E0D8AEB8AE58587D9B87EF8FE7701F77AB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59392 |
Entropy (8bit): | 6.683943905805834 |
Encrypted: | false |
SSDEEP: | 1536:JdTmHwANUQlHS3cctlxWboHdMJ3RraSXL2f:JdTmRxlHS3NxrHSBRtM |
MD5: | 5E101D6FCE9A8F49FE52F06D20AB1986 |
SHA1: | 7CCFC584BA6B8FE18D4C4E7B4996797A23CC9A34 |
SHA-256: | 0193896D3F430963179E6C2C205E1379A6C5E67BB8B8DC2EDC33CB029089AB05 |
SHA-512: | 3D4A26BC13814BB487481A1B30053489BBBFEBA4F6453631A1B6FE8801AB2602CA6B425800D67CAD15A0FFCCA07BD043A1AF4F815A61DA09057F234472A7B4B9 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 110592 |
Entropy (8bit): | 5.557293254865784 |
Encrypted: | false |
SSDEEP: | 768:UDvFQC7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwuXc/mex/SGKAGWB:QQuklMBNIimuzaAwusPdK8 |
MD5: | 015F102A59EF199628AEA96AD1ABC7F5 |
SHA1: | D7217C0D029A8FAA50175D9DCDA1BE5054301FA6 |
SHA-256: | DEBA36B81DD30E3552F59A6228E288C57B1AC0FB06831C4B36CA8B74625B526C |
SHA-512: | FE876F727335B278D49075A0CBDB44D75F321CC2B66FAF3BDACAD79356D868277BB95104CF894350DC8616908F11BA77B6D2F0AA0B4724F46D7A566970717EEF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 118784 |
Entropy (8bit): | 6.635609915121052 |
Encrypted: | false |
SSDEEP: | 3072:EPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+Ab:EPj0nEo3tb2j6AUkB0CThp6vv |
MD5: | 3D49859F103AFC62F7CA44B56FB1E3D2 |
SHA1: | 9482ACC5B8EB643F84D58508A67CDD0AD571F895 |
SHA-256: | 9A498853621DA4C0C749F17A20F067BE6B989D416FBE198E6F339CB482DBEB70 |
SHA-512: | EF0186670704A682C3BBCB95C4A18EC16EDFEFE3086220523CBBC479AED744E240EEE23B65DB69D84BCA4FF61152334045581B745E3A556A4222FC78737F3BC0 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 74752 |
Entropy (8bit): | 7.997940502336996 |
Encrypted: | true |
SSDEEP: | 1536:Le77kXQYoFVQH/ErFusz9N4vFbw2e8nDH7N/kt7gEnNGu8kOT3v7DipJmH:W48/W/ErFuszUnfN/KgEnwiOj7Iw |
MD5: | 22CC3E7A9E2B41175CE96192153976B1 |
SHA1: | 8799E7BB491E50F35FAC259368439505AA626533 |
SHA-256: | 4722AE236E09F912AA59320E636F17546ADFBAE4C8D9018AA88E5A9DFB1B0EC1 |
SHA-512: | 1B22D4334CB3AF7190B149265511AB3304C262ED1B71E0209E484CA09479D4CB207A6BA96D356A9DE61918D42482050494FCC4D3E5544631C9FDDF9ECCAE84DB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 101376 |
Entropy (8bit): | 7.998368605625969 |
Encrypted: | true |
SSDEEP: | 3072:gUCl/OsI1TqNNG1UvRqVhZhuirrlp21FzgM+e:gh1aqccUhvtP7NM9 |
MD5: | 8C055F2536394DA01F2F4F89094933C8 |
SHA1: | CC7ED4B7B39E915F5659D2D562C493AB95A77D3A |
SHA-256: | 052D4165E402692097E963C7754CA2DB16F81E909D66DD160F31D5BAEF13C433 |
SHA-512: | 260FC6E254F75EAFA5A4E5EFF6D12E0EEA84B5F0E6F639F50C348FA0DEFD76C0DB0FDE477090CB2141589161FB8F63659B5C7A2B3EE90E88800DD2B4B02F1839 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 57344 |
Entropy (8bit): | 6.9026269936985445 |
Encrypted: | false |
SSDEEP: | 768:QcDP8WBosd0bHazf0Tye4Ur2+9BGmd9OTGQ1Dv7sMvLHfR/ZByLS:CWyu0uZo2+9BGmdATGODv7xvTphAS |
MD5: | 9EB5AB8B9762D1104B76841A147A47E9 |
SHA1: | BE761B276C5D086E1B119C6834EC3D6AE0F0EB7A |
SHA-256: | 19D806B5883D0DA104AACC6B4A3449CEE32C13D4F50D604AF0B4F7BC5B3EE9AC |
SHA-512: | 4F5B658E3C194A713EAE87D706D7933C1FE81FB03D0259224B2013BA10EDA97954C1AE6109CF9BD8940ECBC157E15326F441D835D04CAE28867940A8004AA1AF |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10201 |
Entropy (8bit): | 5.191146205909233 |
Encrypted: | false |
SSDEEP: | 192:cKGlEVwLb6eaGPGbvrIClmk5hEqlZWfINKyswKu8/8reZKHzRxetcJOQcL25lTU:cKGlEqP63GgKkblZWf6ygTnCcJOQP56 |
MD5: | 337C9E7F6C3D1244D2A7F977540F6543 |
SHA1: | ED017D14AEF9F585112C99DAB0AB440EF200736E |
SHA-256: | 2F8CF4F585106302AAC7778B662C02E5BE45EE7F6FA98C128FC0EE8C2463B51A |
SHA-512: | BD75530E03D2146D5B83076CD76DA7E178F53259D892CAB2776DFB1833F1478990F4AFA1911DC10858328E475A75BFB227D1F69D35B860CBAF791734FFE89187 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10201 |
Entropy (8bit): | 5.191146205909233 |
Encrypted: | false |
SSDEEP: | 192:cKGlEVwLb6eaGPGbvrIClmk5hEqlZWfINKyswKu8/8reZKHzRxetcJOQcL25lTU:cKGlEqP63GgKkblZWf6ygTnCcJOQP56 |
MD5: | 337C9E7F6C3D1244D2A7F977540F6543 |
SHA1: | ED017D14AEF9F585112C99DAB0AB440EF200736E |
SHA-256: | 2F8CF4F585106302AAC7778B662C02E5BE45EE7F6FA98C128FC0EE8C2463B51A |
SHA-512: | BD75530E03D2146D5B83076CD76DA7E178F53259D892CAB2776DFB1833F1478990F4AFA1911DC10858328E475A75BFB227D1F69D35B860CBAF791734FFE89187 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 72704 |
Entropy (8bit): | 6.600022055182949 |
Encrypted: | false |
SSDEEP: | 1536:J0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3BxZxu6/sPYcSyRXi:J0Imbi80PtCZEMnVIPPBxT/sZg |
MD5: | 32F05FF849745D873A8BA45C37FFC2E7 |
SHA1: | 11A5E49705329F973127BF18C21ED4A71F0643FE |
SHA-256: | 1E8B134EFE1C131EDEF569445DA98287CE82881B2BE8DBB137FD31024E5078E3 |
SHA-512: | B3F41C64498F8622AD4FB24B497B45842A3E798AC179D689F01AF506BE67578D49348CCB4A644861D559EA4F9ABE0CE4FC5C9CBC6B85E1982FC7CD3C703FC319 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 56320 |
Entropy (8bit): | 6.699816426848249 |
Encrypted: | false |
SSDEEP: | 768:oWiq/DOSOlwRDNFoDu+XdoXSMf17+sVXnQkdFLILu8rbPDmhdimkIXqURPN2mldg:oSDOSpZ+Sh+I+FrbCyI7P4Cxi8A |
MD5: | 065636BB55B8C9175F08FAA1E2768988 |
SHA1: | B5C9C62589A7A4A8EC0BA59AA152CD70251C61E9 |
SHA-256: | 1836E1F36EBD51487B7BCB29D3707BEE7B7D9E32B7BE339E8DC6526B69AF922A |
SHA-512: | DA397F759F9BC22F2DAC365F81CDB316E1A3A79870191A75A5C41721A271E6B829282BC3F5A8F07A17865627ACD2824C60E0F71618D288B4230D9D50A8735AB4 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 76800 |
Entropy (8bit): | 6.6644055143967345 |
Encrypted: | false |
SSDEEP: | 1536:7zGc/xv5mjKu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcI:35mjccBiqXvpgF4qv+32eOyKI |
MD5: | FB6A357B559218AFFEB06C70F1B37507 |
SHA1: | 8FFD07EE5A7717C1B4E70EF377FC278254521B64 |
SHA-256: | E740CC0EC551361CB5CE2991011F77A6E59757ACEC70A0F53A91D732D677F535 |
SHA-512: | 951D096BA5AC99A682782AD34F4E3B1148E7148813D13A2130ED382E1E194D4E8058E63C775523F2BFBA50C92FCA039AC30FE8D95DDBEF444B5B5A2D039EE05F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\Wine.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 46070 |
Entropy (8bit): | 7.996103211900551 |
Encrypted: | true |
SSDEEP: | 768:YtSWR+hNM5yqkMrTdjnzQE/m/okb58ZOZmpfQfVnehpnV0B2Jg:YNAhqf1BLzTkF4+fVqnSBIg |
MD5: | 453B2B4C96CA03DB9A82166C6A062783 |
SHA1: | 980CCC803659AB48A65453ACA6F8D9D81D319EB8 |
SHA-256: | D43E7585D2E0E3172B4F7069F72A2C37BAED60BD6B57F91873E2D3AC9C5ACF4C |
SHA-512: | DEAC4B555C8A5EE93899AAABC0D3CA9F899F9C8909D7DD413F623FFBE3CAAF6E3C54FC72C9B9AE334F97B01DB6AF2D9DD1146512447A42C334544DC74F7D0BF2 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.979467909708447 |
TrID: |
|
File name: | Wine.exe |
File size: | 1'377'720 bytes |
MD5: | 53de93968fda3933233df112ff5884a0 |
SHA1: | 669c5e52750f96b04376a3416628508614eb8598 |
SHA256: | 4c18e24f4f804739e9af4d393bad232e81e14329d578c2f36c285046c4c9628e |
SHA512: | 44876fc4d0ffa2403f124ba1e2d515d6aa12f78d0559b9e74253d7657606fb875056a01877211342c31230c08b7b362b2c6c94d1a862d5861ea5455773b68c86 |
SSDEEP: | 24576:aE7Cf2MeIDYktoF8/vcipzlE6mnkOGCUOFm4dxT+YDhYDYZvRuxFt49CBa5OdQn:xCO71q/finkOGCE4dZ+YDhYDYZv0x74j |
TLSH: | C45533E798ACCC32D5430A7171F2A7A3CDB1EC555490E38FB2054E9A3B24A419E74F93 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...v...B...8..... |
Icon Hash: | ceb9ccd2d26dba4c |
Entrypoint: | 0x4038af |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | be41bf7b8cc010b614bd36bbca606973 |
Signature Valid: | false |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 15E2254C8FC88D4A538BA4FB09C0019E |
Thumbprint SHA-1: | A731D48CD8E2A99BB91F7C096F40CEDF3A468BA6 |
Thumbprint SHA-256: | 866B46DC0876C0B9C85AFE6569E49352A021C255C8E7680DF6AC1FDBAD677033 |
Serial: | 03AA6492DE9D96A90A4BCA97BEADB44A |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push ebp |
push esi |
push edi |
push 00000020h |
xor ebp, ebp |
pop esi |
mov dword ptr [esp+18h], ebp |
mov dword ptr [esp+10h], 0040A268h |
mov dword ptr [esp+14h], ebp |
call dword ptr [00409030h] |
push 00008001h |
call dword ptr [004090B4h] |
push ebp |
call dword ptr [004092C0h] |
push 00000008h |
mov dword ptr [0047EB98h], eax |
call 00007FB899452B0Bh |
push ebp |
push 000002B4h |
mov dword ptr [0047EAB0h], eax |
lea eax, dword ptr [esp+38h] |
push eax |
push ebp |
push 0040A264h |
call dword ptr [00409184h] |
push 0040A24Ch |
push 00476AA0h |
call 00007FB8994527EDh |
call dword ptr [004090B0h] |
push eax |
mov edi, 004CF0A0h |
push edi |
call 00007FB8994527DBh |
push ebp |
call dword ptr [00409134h] |
cmp word ptr [004CF0A0h], 0022h |
mov dword ptr [0047EAB8h], eax |
mov eax, edi |
jne 00007FB8994500DAh |
push 00000022h |
pop esi |
mov eax, 004CF0A2h |
push esi |
push eax |
call 00007FB8994524B1h |
push eax |
call dword ptr [00409260h] |
mov esi, eax |
mov dword ptr [esp+1Ch], esi |
jmp 00007FB899450163h |
push 00000020h |
pop ebx |
cmp ax, bx |
jne 00007FB8994500DAh |
add esi, 02h |
cmp word ptr [esi], bx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xac40 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x100000 | 0x5056a | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x14dc60 | 0x2958 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x86000 | 0x994 | .ndata |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x9000 | 0x2d0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x728c | 0x7400 | 419d4e1be1ac35a5db9c47f553b27cea | False | 0.6566540948275862 | data | 6.499708590628113 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x9000 | 0x2b6e | 0x2c00 | cca1ca3fbf99570f6de9b43ce767f368 | False | 0.3678977272727273 | data | 4.497932535153822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xc000 | 0x72b9c | 0x200 | 77f0839f8ebea31040e462523e1c770e | False | 0.279296875 | data | 1.8049406284608531 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x7f000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x100000 | 0x5056a | 0x50600 | aba2dadb7a0dc58e9007e4eee93ccfe7 | False | 0.9912215688180405 | data | 7.9289200758377785 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x151000 | 0xfd6 | 0x1000 | 891f0b6fa7625b3c354f4e4791fcd27e | False | 0.5947265625 | data | 5.578478489468896 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x1001c0 | 0x496c8 | PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced | English | United States | 0.9938053627005028 |
RT_ICON | 0x149888 | 0x676c | PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced | English | United States | 0.9993579090497053 |
RT_DIALOG | 0x14fff4 | 0x100 | data | English | United States | 0.5234375 |
RT_DIALOG | 0x1500f4 | 0x11c | data | English | United States | 0.6056338028169014 |
RT_DIALOG | 0x150210 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0x150270 | 0x22 | data | English | United States | 0.9705882352941176 |
RT_MANIFEST | 0x150294 | 0x2d6 | XML 1.0 document, ASCII text, with very long lines (726), with no line terminators | English | United States | 0.5647382920110193 |
DLL | Import |
---|---|
KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
USER32.dll | GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW |
GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T01:20:24.625735+0100 | 2058230 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tacitglibbr .biz) | 1 | 192.168.2.5 | 59310 | 1.1.1.1 | 53 | UDP |
2024-12-23T01:20:26.254241+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:26.254241+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:27.001490+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:27.001490+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:28.262201+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:28.262201+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:29.052795+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:29.052795+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:31.040274+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.5 | 49743 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:31.040274+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49743 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:33.223141+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.5 | 49749 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:33.223141+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49749 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:35.671264+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.5 | 49755 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:35.671264+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49755 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:38.087207+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.5 | 49766 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:38.087207+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49766 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:38.846547+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49766 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:40.548814+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.5 | 49772 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:40.548814+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49772 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:44.607860+0100 | 2058231 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (tacitglibbr .biz in TLS SNI) | 1 | 192.168.2.5 | 49783 | 104.21.50.161 | 443 | TCP |
2024-12-23T01:20:44.607860+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.5 | 49783 | 104.21.50.161 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 01:20:25.032824039 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:25.032879114 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:25.032979965 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:25.034415007 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:25.034431934 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:26.254122972 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:26.254240990 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:26.258126974 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:26.258141994 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:26.258399010 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:26.310810089 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:26.311728001 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:26.311760902 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:26.311853886 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:27.001492023 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:27.001605988 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:27.001674891 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:27.004518032 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:27.004543066 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:27.004565001 CET | 49731 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:27.004570961 CET | 443 | 49731 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:27.047624111 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:27.047683954 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:27.047815084 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:27.048111916 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:27.048130989 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:28.262044907 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:28.262201071 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:28.263824940 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:28.263838053 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:28.264075994 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:28.269720078 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:28.269748926 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:28.269843102 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.052755117 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.052831888 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.052864075 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.052890062 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.052895069 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.052916050 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.052942038 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.060998917 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.061031103 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.061070919 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.061094046 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.061148882 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.069396019 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.123327971 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.123342991 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.170203924 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.172394991 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.217042923 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.217048883 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.263921976 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.678987026 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.679147005 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.679272890 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.679297924 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.679382086 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.679532051 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.679553986 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.679584026 CET | 49737 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.679591894 CET | 443 | 49737 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.824367046 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.824450970 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:29.824565887 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.825021029 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:29.825043917 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:31.039994955 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:31.040273905 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:31.076703072 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:31.076756001 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:31.077075005 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:31.078213930 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:31.078375101 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:31.078421116 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:31.899846077 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:31.900118113 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:31.900202036 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:31.901969910 CET | 49743 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:31.902009010 CET | 443 | 49743 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:32.001487017 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:32.001523018 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:32.001600981 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:32.001880884 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:32.001898050 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:33.223073006 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:33.223140955 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:33.224550009 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:33.224561930 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:33.224890947 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:33.226345062 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:33.226562977 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:33.226598024 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:33.226659060 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:33.271332979 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:34.107228994 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:34.107541084 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:34.107611895 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:34.139177084 CET | 49749 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:34.139206886 CET | 443 | 49749 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:34.449100971 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:34.449158907 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:34.449316025 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:34.449698925 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:34.449717999 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:35.671139002 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:35.671263933 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:35.672535896 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:35.672557116 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:35.672929049 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:35.674062014 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:35.674185038 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:35.674222946 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:35.674293041 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:35.674304962 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:36.638045073 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:36.638295889 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:36.638449907 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:36.638828039 CET | 49755 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:36.638848066 CET | 443 | 49755 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:36.840908051 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:36.840970993 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:36.841058969 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:36.841428041 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:36.841458082 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:38.086906910 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:38.087207079 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:38.091675043 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:38.091727972 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:38.092608929 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:38.094090939 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:38.094273090 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:38.094286919 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:38.846613884 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:38.846848965 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:38.846971035 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:38.847223997 CET | 49766 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:38.847245932 CET | 443 | 49766 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:39.326355934 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:39.326381922 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:39.326464891 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:39.326795101 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:39.326802969 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.548655033 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.548814058 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.550245047 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.550263882 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.551333904 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.552613974 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.553431988 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.553468943 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.553571939 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.553611040 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.553740025 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.553785086 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.553970098 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.554008961 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.554152966 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.554184914 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.554342985 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.554377079 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.554390907 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.554557085 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.554599047 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.595330954 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.595599890 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.595664978 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.595688105 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.643331051 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.645680904 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.645734072 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.645767927 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.691329002 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.693649054 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.732671976 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:40.732683897 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:40.913800001 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:43.600739002 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:43.600879908 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:43.601035118 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:43.601195097 CET | 49772 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:43.601210117 CET | 443 | 49772 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:43.614211082 CET | 49783 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:43.614243031 CET | 443 | 49783 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:43.614319086 CET | 49783 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:43.614603043 CET | 49783 | 443 | 192.168.2.5 | 104.21.50.161 |
Dec 23, 2024 01:20:43.614615917 CET | 443 | 49783 | 104.21.50.161 | 192.168.2.5 |
Dec 23, 2024 01:20:44.607860088 CET | 49783 | 443 | 192.168.2.5 | 104.21.50.161 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 01:20:00.399075031 CET | 59617 | 53 | 192.168.2.5 | 1.1.1.1 |
Dec 23, 2024 01:20:00.619940996 CET | 53 | 59617 | 1.1.1.1 | 192.168.2.5 |
Dec 23, 2024 01:20:24.625735044 CET | 59310 | 53 | 192.168.2.5 | 1.1.1.1 |
Dec 23, 2024 01:20:25.024081945 CET | 53 | 59310 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 23, 2024 01:20:00.399075031 CET | 192.168.2.5 | 1.1.1.1 | 0x61f1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 23, 2024 01:20:24.625735044 CET | 192.168.2.5 | 1.1.1.1 | 0xb013 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 23, 2024 01:20:00.619940996 CET | 1.1.1.1 | 192.168.2.5 | 0x61f1 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Dec 23, 2024 01:20:25.024081945 CET | 1.1.1.1 | 192.168.2.5 | 0xb013 | No error (0) | 104.21.50.161 | A (IP address) | IN (0x0001) | false | ||
Dec 23, 2024 01:20:25.024081945 CET | 1.1.1.1 | 192.168.2.5 | 0xb013 | No error (0) | 172.67.164.37 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49731 | 104.21.50.161 | 443 | 4120 | C:\Users\user\AppData\Local\Temp\63933\Compare.com |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:20:26 UTC | 262 | OUT | |
2024-12-23 00:20:26 UTC | 8 | OUT | |
2024-12-23 00:20:26 UTC | 1121 | IN | |
2024-12-23 00:20:26 UTC | 7 | IN | |
2024-12-23 00:20:26 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.5 | 49737 | 104.21.50.161 | 443 | 4120 | C:\Users\user\AppData\Local\Temp\63933\Compare.com |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:20:28 UTC | 263 | OUT | |
2024-12-23 00:20:28 UTC | 56 | OUT | |
2024-12-23 00:20:29 UTC | 1123 | IN | |
2024-12-23 00:20:29 UTC | 246 | IN | |
2024-12-23 00:20:29 UTC | 888 | IN | |
2024-12-23 00:20:29 UTC | 1369 | IN | |
2024-12-23 00:20:29 UTC | 1369 | IN | |
2024-12-23 00:20:29 UTC | 1369 | IN | |
2024-12-23 00:20:29 UTC | 1369 | IN | |
2024-12-23 00:20:29 UTC | 1369 | IN | |
2024-12-23 00:20:29 UTC | 1369 | IN | |
2024-12-23 00:20:29 UTC | 1369 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.5 | 49743 | 104.21.50.161 | 443 | 4120 | C:\Users\user\AppData\Local\Temp\63933\Compare.com |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:20:31 UTC | 279 | OUT | |
2024-12-23 00:20:31 UTC | 12832 | OUT | |
2024-12-23 00:20:31 UTC | 1131 | IN | |
2024-12-23 00:20:31 UTC | 20 | IN | |
2024-12-23 00:20:31 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.5 | 49749 | 104.21.50.161 | 443 | 4120 | C:\Users\user\AppData\Local\Temp\63933\Compare.com |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:20:33 UTC | 276 | OUT | |
2024-12-23 00:20:33 UTC | 15056 | OUT | |
2024-12-23 00:20:34 UTC | 1124 | IN | |
2024-12-23 00:20:34 UTC | 20 | IN | |
2024-12-23 00:20:34 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.5 | 49755 | 104.21.50.161 | 443 | 4120 | C:\Users\user\AppData\Local\Temp\63933\Compare.com |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:20:35 UTC | 279 | OUT | |
2024-12-23 00:20:35 UTC | 15331 | OUT | |
2024-12-23 00:20:35 UTC | 5233 | OUT | |
2024-12-23 00:20:36 UTC | 1123 | IN | |
2024-12-23 00:20:36 UTC | 20 | IN | |
2024-12-23 00:20:36 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.5 | 49766 | 104.21.50.161 | 443 | 4120 | C:\Users\user\AppData\Local\Temp\63933\Compare.com |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:20:38 UTC | 272 | OUT | |
2024-12-23 00:20:38 UTC | 1200 | OUT | |
2024-12-23 00:20:38 UTC | 1125 | IN | |
2024-12-23 00:20:38 UTC | 20 | IN | |
2024-12-23 00:20:38 UTC | 5 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.5 | 49772 | 104.21.50.161 | 443 | 4120 | C:\Users\user\AppData\Local\Temp\63933\Compare.com |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-12-23 00:20:40 UTC | 274 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:40 UTC | 15331 | OUT | |
2024-12-23 00:20:43 UTC | 1145 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 19:19:55 |
Start date: | 22/12/2024 |
Path: | C:\Users\user\Desktop\Wine.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'377'720 bytes |
MD5 hash: | 53DE93968FDA3933233DF112FF5884A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 19:19:56 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 19:19:56 |
Start date: | 22/12/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 19:19:57 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\tasklist.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8a0000 |
File size: | 79'360 bytes |
MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 19:19:57 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\findstr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd50000 |
File size: | 29'696 bytes |
MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 19:19:58 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\tasklist.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8a0000 |
File size: | 79'360 bytes |
MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 19:19:58 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\findstr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd50000 |
File size: | 29'696 bytes |
MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 19:19:58 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 19:19:58 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\findstr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd50000 |
File size: | 29'696 bytes |
MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 19:19:58 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 19:19:58 |
Start date: | 22/12/2024 |
Path: | C:\Users\user\AppData\Local\Temp\63933\Compare.com |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc80000 |
File size: | 947'288 bytes |
MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | moderate |
Has exited: | true |
Target ID: | 12 |
Start time: | 19:19:58 |
Start date: | 22/12/2024 |
Path: | C:\Windows\SysWOW64\choice.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xca0000 |
File size: | 28'160 bytes |
MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Execution Graph
Execution Coverage: | 17.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 21% |
Total number of Nodes: | 1482 |
Total number of Limit Nodes: | 27 |
Graph
Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175fileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004079A2 Relevance: .3, Instructions: 347COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040737E Relevance: .3, Instructions: 303COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|