Edit tour
Windows
Analysis Report
setup.exe
Overview
General Information
| Sample name: | setup.exe |
| Analysis ID: | 1584516 |
| MD5: | 6da280fb9c2da7913e9c801b4de02f47 |
| SHA1: | 119298d4791194344e819d512638165a1517525b |
| SHA256: | 8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99 |
| Tags: | exeLummaStealeruser-aachum |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
setup.exe (PID: 6036 cmdline: "C:\Users\ user\Deskt op\setup.e xe" MD5: 6DA280FB9C2DA7913E9C801B4DE02F47)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["tirepublicerj.shop", "nearycrepso.shop", "noisycuttej.shop", "abruptyopsn.shop", "wholersorie.shop", "rabidcowse.shop", "cloudewahsj.shop", "swingybeattyz.sbs", "framekgirus.shop"], "Build id": "version--%s"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-05T18:43:29.530198+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49801 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:30.516672+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49807 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:31.703198+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49816 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:32.924011+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49823 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:34.089230+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49833 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:35.539533+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49844 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:36.620199+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49851 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:37.848215+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49861 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:39.204120+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.6 | 49867 | 185.161.251.21 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-05T18:43:30.032304+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49801 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:30.949248+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49807 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:38.346784+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49861 | 172.67.163.221 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-05T18:43:30.032304+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49801 | 172.67.163.221 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-05T18:43:30.949248+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49807 | 172.67.163.221 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-05T18:43:33.445325+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49823 | 172.67.163.221 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_0138E75C | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Code function: | 0_3_01335EB8 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_0137A511 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_013784A9 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Code function: | 0_3_0137E531 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Code function: | 0_3_0137A0F5 | |
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 22 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 221 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 22 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 41 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | 114 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 21% | ReversingLabs | Win32.Malware.Generic | ||
| 16% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| cegu.shop | 185.161.251.21 | true | false | high | |
| swingybeattyz.sbs | 172.67.163.221 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.163.221 | swingybeattyz.sbs | United States | 13335 | CLOUDFLARENETUS | true | |
| 185.161.251.21 | cegu.shop | United Kingdom | 5089 | NTLGB | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1584516 |
| Start date and time: | 2025-01-05 18:42:14 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 39s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | setup.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@2/2 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50, 173.222.162.64
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target setup.exe, PID 6036 because there are no executed function
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 12:43:29 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.163.221 | Get hash | malicious | Unknown | Browse | ||
| 185.161.251.21 | Get hash | malicious | LummaC | Browse | ||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| cegu.shop | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| NTLGB | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 0.433672070581177 |
| TrID: |
|
| File name: | setup.exe |
| File size: | 75'164'374 bytes |
| MD5: | 6da280fb9c2da7913e9c801b4de02f47 |
| SHA1: | 119298d4791194344e819d512638165a1517525b |
| SHA256: | 8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99 |
| SHA512: | 78f66c181d572bd0a12b748770578bb85b8c447c3fbc686d19b61bc226f185f512b6a3176fd04f147a5531fa281804b5fb393c3d30d0e6cd4a131d1c2ab5fe86 |
| SSDEEP: | 12288:FRjEparvru3GWf+6vk7A5oI+3qYc40Y+wyNdl3sT9xvgihDqOn0JroELnF0soYqn:/Eaq3GWZvkWoQk0y |
| TLSH: | 61F74BAA7600AFF3A743366D0932FEDC95B6E0A0933198F7514921466D63CDC4BB2D39 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Y.F|7.F|7.F|7...4.J|7.W...D|7...3.X|7...2..|7...1.G|7.W.4._|7.W.3.R|7.W.2..|7...6.Y|7.F|6..~7...2.P|7.....G|7.F|..G|7...5.G|7 |
 | |
| Icon Hash: | e4a7aa2acada3ae0 |
| Entrypoint: | 0x42d918 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x676969E3 [Mon Dec 23 13:47:15 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f25ab2b89cf57e9099f9e15a113c344d |
| Signature Valid: | false |
| Signature Issuer: | CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | F7219078FBE20BC1B98BF8A86BFC0396 |
| Thumbprint SHA-1: | 30632EA310114105969D0BDA28FDCE267104754F |
| Thumbprint SHA-256: | 1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2 |
| Serial: | 14781BC862E8DC503A559346F5DCC518 |
| Instruction |
|---|
| call 00007FAAE0D1516Fh |
| jmp 00007FAAE0D1464Fh |
| cmp ecx, dword ptr [0045E540h] |
| jne 00007FAAE0D147D3h |
| ret |
| jmp 00007FAAE0D14E7Eh |
| push ebp |
| mov ebp, esp |
| push dword ptr [ebp+08h] |
| call 00007FAAE0CFA834h |
| pop ecx |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| test byte ptr [ebp+08h], 00000001h |
| push esi |
| mov esi, ecx |
| mov dword ptr [esi], 004520D8h |
| je 00007FAAE0D147DCh |
| push 0000000Ch |
| push esi |
| call 00007FAAE0D147ADh |
| pop ecx |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ecx |
| lea ecx, dword ptr [esp+08h] |
| sub ecx, eax |
| and ecx, 0Fh |
| add eax, ecx |
| sbb ecx, ecx |
| or eax, ecx |
| pop ecx |
| jmp 00007FAAE0D147EFh |
| push ecx |
| lea ecx, dword ptr [esp+08h] |
| sub ecx, eax |
| and ecx, 07h |
| add eax, ecx |
| sbb ecx, ecx |
| or eax, ecx |
| pop ecx |
| jmp 00007FAAE0D147D9h |
| int3 |
| int3 |
| int3 |
| int3 |
| push ecx |
| lea ecx, dword ptr [esp+04h] |
| sub ecx, eax |
| sbb eax, eax |
| not eax |
| and ecx, eax |
| mov eax, esp |
| and eax, FFFFF000h |
| cmp ecx, eax |
| jc 00007FAAE0D147DCh |
| mov eax, ecx |
| pop ecx |
| xchg eax, esp |
| mov eax, dword ptr [eax] |
| mov dword ptr [esp], eax |
| ret |
| sub eax, 00001000h |
| test dword ptr [eax], eax |
| jmp 00007FAAE0D147BBh |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| movzx eax, word ptr [ecx+14h] |
| lea edx, dword ptr [ecx+18h] |
| add edx, eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x5c04c | 0x118 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x63000 | 0xc638 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x47ab116 | 0x39c0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x70000 | 0x57f6 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x56b30 | 0x54 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x56bc0 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x56a70 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x49000 | 0x5bc | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x47755 | 0x47800 | 5b3e1cef40bfe2b17ac7f363024b5816 | False | 0.5441740876311189 | data | 6.621047013216424 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x49000 | 0x14fd6 | 0x15000 | 80bb3174b628d0eec4a40f68d34202da | False | 0.3810221354166667 | data | 5.01820436379118 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x5e000 | 0x4c1c | 0x2000 | 5a281789af0ef4dd6dc9ec1803756cba | False | 0.206787109375 | data | 3.6036913248157205 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x63000 | 0xc638 | 0xc800 | 8200aac46d871db851325d09e4245420 | False | 0.3467578125 | data | 4.8528994197047135 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x70000 | 0x5ac00 | 0x5ac00 | 2a26492580dca5a32dc130cff269c665 | False | 0.6802228607093664 | data | 7.613071241008472 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0x6c148 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4805194805194805 |
| RT_CURSOR | 0x6c280 | 0xb4 | Targa image data - Map 32 x 65536 x 1 +16 "\001" | English | United States | 0.7 |
| RT_CURSOR | 0x6c360 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | English | United States | 0.36363636363636365 |
| RT_CURSOR | 0x6c4b0 | 0x134 | Targa image data - RLE 64 x 65536 x 1 +32 "\001" | English | United States | 0.35714285714285715 |
| RT_CURSOR | 0x6c600 | 0x134 | data | English | United States | 0.37337662337662336 |
| RT_CURSOR | 0x6c750 | 0x134 | data | English | United States | 0.37662337662337664 |
| RT_CURSOR | 0x6c8a0 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | English | United States | 0.36688311688311687 |
| RT_CURSOR | 0x6c9f0 | 0x134 | Targa image data 64 x 65536 x 1 +32 "\001" | English | United States | 0.37662337662337664 |
| RT_CURSOR | 0x6cb40 | 0x134 | Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001" | English | United States | 0.36688311688311687 |
| RT_CURSOR | 0x6cc90 | 0x134 | Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
| RT_CURSOR | 0x6cde0 | 0x134 | data | English | United States | 0.44155844155844154 |
| RT_CURSOR | 0x6cf30 | 0x134 | data | English | United States | 0.4155844155844156 |
| RT_CURSOR | 0x6d080 | 0x134 | AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd | English | United States | 0.5422077922077922 |
| RT_CURSOR | 0x6d1d0 | 0x134 | data | English | United States | 0.2662337662337662 |
| RT_CURSOR | 0x6d320 | 0x134 | data | English | United States | 0.2824675324675325 |
| RT_CURSOR | 0x6d470 | 0x134 | data | English | United States | 0.3246753246753247 |
| RT_BITMAP | 0x6b808 | 0x728 | Device independent bitmap graphic, 48 x 16 x 8, image size 768 | English | United States | 0.3558951965065502 |
| RT_BITMAP | 0x6d6e0 | 0xb8 | Device independent bitmap graphic, 12 x 10 x 4, image size 80 | English | United States | 0.44565217391304346 |
| RT_BITMAP | 0x6d798 | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | English | United States | 0.37962962962962965 |
| RT_ICON | 0x63ff0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.43230277185501065 |
| RT_ICON | 0x64e98 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.48962093862815886 |
| RT_ICON | 0x65740 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | English | United States | 0.7050691244239631 |
| RT_ICON | 0x65e08 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.5252890173410405 |
| RT_ICON | 0x66370 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.2678423236514523 |
| RT_ICON | 0x68918 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.37335834896810505 |
| RT_ICON | 0x699c0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6864754098360656 |
| RT_ICON | 0x6a348 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.6400709219858156 |
| RT_DIALOG | 0x6aea8 | 0x408 | data | English | United States | 0.44089147286821706 |
| RT_DIALOG | 0x6a828 | 0x67c | data | English | United States | 0.405421686746988 |
| RT_DIALOG | 0x6b2b0 | 0x1f4 | data | English | United States | 0.574 |
| RT_DIALOG | 0x6bf30 | 0x216 | data | Swedish | Sweden | 0.5299625468164794 |
| RT_DIALOG | 0x6d5c0 | 0xe8 | data | English | United States | 0.6336206896551724 |
| RT_DIALOG | 0x6d6a8 | 0x34 | data | English | United States | 0.9038461538461539 |
| RT_STRING | 0x6d8e0 | 0x54 | data | English | United States | 0.7023809523809523 |
| RT_STRING | 0x6d938 | 0x82 | StarOffice Gallery theme p, 536899072 objects, 1st n | English | United States | 0.7153846153846154 |
| RT_STRING | 0x6d9c0 | 0x2a | data | English | United States | 0.5476190476190477 |
| RT_STRING | 0x6d9f0 | 0x184 | data | English | United States | 0.48711340206185566 |
| RT_STRING | 0x6db78 | 0x4ee | data | English | United States | 0.375594294770206 |
| RT_STRING | 0x6e3f8 | 0x264 | data | English | United States | 0.3333333333333333 |
| RT_STRING | 0x6e118 | 0x2da | data | English | United States | 0.3698630136986301 |
| RT_STRING | 0x6ee40 | 0x8a | data | English | United States | 0.6594202898550725 |
| RT_STRING | 0x6e068 | 0xac | data | English | United States | 0.45348837209302323 |
| RT_STRING | 0x6ed30 | 0xde | data | English | United States | 0.536036036036036 |
| RT_STRING | 0x6e660 | 0x4a8 | data | English | United States | 0.3221476510067114 |
| RT_STRING | 0x6eb08 | 0x228 | data | English | United States | 0.4003623188405797 |
| RT_STRING | 0x6ee10 | 0x2c | data | English | United States | 0.5227272727272727 |
| RT_STRING | 0x6eed0 | 0x53e | data | English | United States | 0.2965722801788376 |
| RT_GROUP_CURSOR | 0x6c338 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | English | United States | 1.0294117647058822 |
| RT_GROUP_CURSOR | 0x6cb28 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6c498 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6c9d8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6c888 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6d1b8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6c738 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6cdc8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6c5e8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6cc78 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6cf18 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6d068 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6d308 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6d458 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_CURSOR | 0x6d5a8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
| RT_GROUP_ICON | 0x6a7b0 | 0x76 | data | English | United States | 0.6610169491525424 |
| RT_VERSION | 0x6b4a8 | 0x35c | data | English | United States | 0.436046511627907 |
| RT_MANIFEST | 0x6f410 | 0x224 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminators | English | United States | 0.531021897810219 |
| RT_MANIFEST | 0x63d50 | 0x299 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.47368421052631576 |
| DLL | Import |
|---|---|
| WININET.dll | HttpSendRequestW, HttpAddRequestHeadersW, HttpOpenRequestW, InternetGetLastResponseInfoW, InternetReadFile, InternetConnectW, InternetOpenW, HttpQueryInfoW, InternetCloseHandle |
| KERNEL32.dll | GlobalFlags, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, FlushFileBuffers, GetFullPathNameW, GetVolumeInformationW, SetErrorMode, FileTimeToLocalFileTime, GetFileAttributesExW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetEnvironmentStringsW, LocalReAlloc, LocalAlloc, GlobalHandle, GlobalReAlloc, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSection, WritePrivateProfileStringW, GetPrivateProfileIntW, lstrcmpA, GetCurrentThread, WriteConsoleW, GetVersionExW, GetCurrentProcessId, CompareStringW, GlobalFindAtomW, GlobalAddAtomW, lstrcmpW, GlobalDeleteAtom, LoadLibraryExW, GetSystemDirectoryW, GetCurrentThreadId, EncodePointer, FormatMessageW, LocalFree, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, GetModuleHandleW, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, OutputDebugStringW, RaiseException, RtlUnwind, GetCommandLineA, GetCommandLineW, GetModuleHandleExW, HeapQueryInformation, GetStdHandle, ExitProcess, GetTimeZoneInformation, LCMapStringW, EnterCriticalSection, SetLastError, OutputDebugStringA, GetACP, SystemTimeToFileTime, FileTimeToDosDateTime, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, GetLocalTime, GetSystemTime, GetCurrentProcess, DuplicateHandle, GetFileType, GetFileInformationByHandle, FindNextFileW, WinExec, DeleteCriticalSection, GetProcessHeap, HeapSize, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, HeapFree, HeapReAlloc, HeapAlloc, DecodePointer, lstrlenW, LoadLibraryA, GetProcAddress, lstrcpynW, GetNumberFormatW, GetLocaleInfoW, MulDiv, GetUserDefaultLangID, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, WideCharToMultiByte, MultiByteToWideChar, CopyFileExW, GetPrivateProfileStringW, lstrcpyW, LoadLibraryW, GetModuleFileNameW, FreeLibrary, GetWindowsDirectoryW, GetLastError, WriteFile, SetFilePointer, GetFileSizeEx, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CloseHandle, ReadFile, GetFileSize, CreateFileW, CopyFileW, FindResourceW, SizeofResource, LockResource, LoadResource, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, SetFilePointerEx, GetConsoleOutputCP, GetConsoleMode, TerminateProcess |
| USER32.dll | CharUpperW, DestroyMenu, RealChildWindowFromPoint, GetSysColorBrush, PostQuitMessage, TranslateMessage, GetMessageW, GetWindowThreadProcessId, WindowFromPoint, GetCursorPos, ClientToScreen, GetDesktopWindow, GetActiveWindow, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamW, IsDialogMessageW, SetWindowTextW, IsWindowEnabled, SetDlgItemTextW, ShowWindow, GetMonitorInfoW, MonitorFromWindow, WinHelpW, CallNextHookEx, SetWindowsHookExW, GetLastActivePopup, GetClassNameW, GetClassLongW, GetWindowLongW, CopyRect, MapWindowPoints, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, RemovePropW, GetPropW, SetPropW, GetScrollPos, ValidateRect, EndPaint, BeginPaint, SetForegroundWindow, GetForegroundWindow, SetMenu, GetMenu, GetCapture, GetKeyState, GetDlgCtrlID, GetDlgItem, IsIconic, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPos, DestroyWindow, IsChild, IsMenu, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, CallWindowProcW, DefWindowProcW, GetMessageTime, PeekMessageW, GetWindow, DispatchMessageW, LoadBitmapW, SetMenuItemInfoW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, UnhookWindowsHookEx, GetMenuItemCount, GetMenuItemID, GetSubMenu, OffsetRect, SetRectEmpty, SendDlgItemMessageA, UpdateWindow, GetFocus, DrawEdge, GetParent, SetWindowLongW, MessageBeep, ReleaseDC, GetDC, KillTimer, IsWindow, InflateRect, InvalidateRect, TabbedTextOutW, GrayStringW, DrawTextExW, DrawTextW, FillRect, GetSysColor, GetClientRect, RedrawWindow, DrawIcon, GetSystemMetrics, UnregisterClassW, MessageBoxW, SetActiveWindow, ReleaseCapture, SetCapture, SetFocus, GetAsyncKeyState, wsprintfW, CopyIcon, DestroyCursor, LoadCursorW, PtInRect, ScreenToClient, SetCursor, SetTimer, PostMessageW, GetMessagePos, RegisterWindowMessageW, GetWindowRect, LockWindowUpdate, LoadIconW, EnableWindow, SendMessageW, GetTopWindow |
| GDI32.dll | MoveToEx, SelectObject, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, ScaleViewportExtEx, SetMapMode, SetBkMode, ScaleWindowExtEx, GetObjectW, SelectClipRgn, SaveDC, RestoreDC, LineTo, GetClipBox, DeleteObject, CreatePen, SetTextColor, SetBkColor, CreateBitmap, CreateRectRgn, CreateSolidBrush, ExtTextOutW, TextOutW, RectVisible, PtVisible, GetTextExtentPoint32W, GetCurrentObject, GetBkColor, Escape, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt, GetStockObject, GetDeviceCaps, DeleteDC, CreateDCW, CreateFontIndirectW |
| WINSPOOL.DRV | OpenPrinterW, DocumentPropertiesW, ClosePrinter |
| ADVAPI32.dll | RegCreateKeyExW, RegCloseKey, RegEnumValueW, RegEnumKeyW, RegSetValueExW, RegDeleteValueW, RegDeleteKeyW, IsTextUnicode, RegQueryValueExW, RegQueryValueW, RegOpenKeyExW |
| SHELL32.dll | ShellExecuteExW, ShellExecuteW, ExtractIconW |
| COMCTL32.dll | ImageList_GetBkColor, ImageList_GetImageInfo, ImageList_SetBkColor |
| SHLWAPI.dll | PathRemoveFileSpecW, PathIsUNCW, PathStripToRootW, PathFindFileNameW, PathFindExtensionW |
| ole32.dll | CoUninitialize, CoInitializeEx, CoCreateInstance, CoTaskMemFree, CoCreateGuid, CoInitialize |
| OLEAUT32.dll | SysFreeString, VariantInit, VariantClear, VariantChangeType, SysAllocString |
| VERSION.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
| OLEACC.dll | CreateStdAccessibleObject, LresultFromObject |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
| Swedish | Sweden |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-05T18:43:29.530198+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49801 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:30.032304+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.6 | 49801 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:30.032304+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49801 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:30.516672+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49807 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:30.949248+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.6 | 49807 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:30.949248+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49807 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:31.703198+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49816 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:32.924011+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49823 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:33.445325+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.6 | 49823 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:34.089230+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49833 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:35.539533+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49844 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:36.620199+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49851 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:37.848215+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49861 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:38.346784+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.6 | 49861 | 172.67.163.221 | 443 | TCP |
| 2025-01-05T18:43:39.204120+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.6 | 49867 | 185.161.251.21 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 5, 2025 18:43:29.047281981 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:29.047324896 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:29.047414064 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:29.052928925 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:29.052951097 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:29.530128002 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:29.530198097 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:29.531835079 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:29.531845093 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:29.532139063 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:29.581552029 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:29.581589937 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:29.581675053 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.032318115 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.032423019 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.032501936 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.034034014 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.034051895 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.034073114 CET | 49801 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.034080029 CET | 443 | 49801 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.040990114 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.041034937 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.041301966 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.041722059 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.041735888 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.516596079 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.516671896 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.518214941 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.518222094 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.518606901 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.519900084 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.519916058 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.519969940 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.949259996 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.949300051 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.949326038 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.949352980 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.949373960 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.949378967 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.949408054 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.949424028 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.949563026 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.949568033 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.950023890 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.950160980 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.950167894 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.953917980 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.953942060 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.953967094 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.953968048 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.953979015 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.954020023 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.954056025 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.954117060 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.954333067 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.954350948 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:30.954359055 CET | 49807 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:30.954364061 CET | 443 | 49807 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:31.243133068 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:31.243145943 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:31.243221998 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:31.243526936 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:31.243539095 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:31.703079939 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:31.703197956 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:31.704442978 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:31.704451084 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:31.704683065 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:31.708806992 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:31.708962917 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:31.708992958 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.319957972 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.320054054 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.320225954 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.320383072 CET | 49816 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.320400953 CET | 443 | 49816 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.422295094 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.422334909 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.422425032 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.422748089 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.422760963 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.923943043 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.924010992 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.925292015 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.925317049 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.925640106 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.927066088 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.927237034 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.927289009 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:32.927337885 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:32.975322008 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:33.445342064 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:33.445429087 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:33.445597887 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:33.445667982 CET | 49823 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:33.445686102 CET | 443 | 49823 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:33.613645077 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:33.613681078 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:33.613776922 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:33.614108086 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:33.614120960 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:34.089162111 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:34.089230061 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:34.090323925 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:34.090333939 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:34.090568066 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:34.092860937 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:34.092988968 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:34.093024969 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:34.093089104 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:34.093101025 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:34.719897985 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:34.719995975 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:34.720201015 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:34.720323086 CET | 49833 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:34.720340014 CET | 443 | 49833 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:35.055308104 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:35.055354118 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:35.055414915 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:35.055712938 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:35.055728912 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:35.539459944 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:35.539532900 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:35.540827990 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:35.540838957 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:35.541066885 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:35.545049906 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:35.545120955 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:35.545126915 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.075563908 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.075666904 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.075906038 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.075906038 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.157779932 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.157819986 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.157907963 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.158209085 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.158221960 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.390326023 CET | 49844 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.390336990 CET | 443 | 49844 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.620091915 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.620198965 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.621431112 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.621443987 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.621676922 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:36.622889996 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.622994900 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:36.623002052 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.319583893 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.319685936 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.319788933 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.319927931 CET | 49851 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.319940090 CET | 443 | 49851 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.373722076 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.373749971 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.373819113 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.374157906 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.374171019 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.848145962 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.848215103 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.849545002 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.849550962 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.849813938 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:37.851006031 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.851022005 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:37.851080894 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:38.346788883 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:38.346899986 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:38.346955061 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:38.347095013 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:38.347100019 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:38.347114086 CET | 49861 | 443 | 192.168.2.6 | 172.67.163.221 |
| Jan 5, 2025 18:43:38.347122908 CET | 443 | 49861 | 172.67.163.221 | 192.168.2.6 |
| Jan 5, 2025 18:43:38.460321903 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:38.460362911 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:38.460442066 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:38.460792065 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:38.460805893 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:39.204027891 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:39.204119921 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:39.205646992 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:39.205655098 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:39.205902100 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:39.207077026 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:39.251323938 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:39.564559937 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:39.564623117 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:39.564954042 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:39.565001011 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:39.565011978 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Jan 5, 2025 18:43:39.565025091 CET | 49867 | 443 | 192.168.2.6 | 185.161.251.21 |
| Jan 5, 2025 18:43:39.565030098 CET | 443 | 49867 | 185.161.251.21 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 5, 2025 18:43:29.026487112 CET | 52329 | 53 | 192.168.2.6 | 1.1.1.1 |
| Jan 5, 2025 18:43:29.038374901 CET | 53 | 52329 | 1.1.1.1 | 192.168.2.6 |
| Jan 5, 2025 18:43:38.349706888 CET | 49453 | 53 | 192.168.2.6 | 1.1.1.1 |
| Jan 5, 2025 18:43:38.459451914 CET | 53 | 49453 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 5, 2025 18:43:29.026487112 CET | 192.168.2.6 | 1.1.1.1 | 0xc5a8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 5, 2025 18:43:38.349706888 CET | 192.168.2.6 | 1.1.1.1 | 0xad65 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 5, 2025 18:43:29.038374901 CET | 1.1.1.1 | 192.168.2.6 | 0xc5a8 | No error (0) | 172.67.163.221 | A (IP address) | IN (0x0001) | false | ||
| Jan 5, 2025 18:43:29.038374901 CET | 1.1.1.1 | 192.168.2.6 | 0xc5a8 | No error (0) | 104.21.57.130 | A (IP address) | IN (0x0001) | false | ||
| Jan 5, 2025 18:43:38.459451914 CET | 1.1.1.1 | 192.168.2.6 | 0xad65 | No error (0) | 185.161.251.21 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49801 | 172.67.163.221 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:29 UTC | 264 | OUT | |
| 2025-01-05 17:43:29 UTC | 8 | OUT | |
| 2025-01-05 17:43:30 UTC | 1134 | IN | |
| 2025-01-05 17:43:30 UTC | 7 | IN | |
| 2025-01-05 17:43:30 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49807 | 172.67.163.221 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:30 UTC | 265 | OUT | |
| 2025-01-05 17:43:30 UTC | 78 | OUT | |
| 2025-01-05 17:43:30 UTC | 1127 | IN | |
| 2025-01-05 17:43:30 UTC | 242 | IN | |
| 2025-01-05 17:43:30 UTC | 1369 | IN | |
| 2025-01-05 17:43:30 UTC | 1369 | IN | |
| 2025-01-05 17:43:30 UTC | 1369 | IN | |
| 2025-01-05 17:43:30 UTC | 1369 | IN | |
| 2025-01-05 17:43:30 UTC | 1369 | IN | |
| 2025-01-05 17:43:30 UTC | 1369 | IN | |
| 2025-01-05 17:43:30 UTC | 1369 | IN | |
| 2025-01-05 17:43:30 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.6 | 49816 | 172.67.163.221 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:31 UTC | 274 | OUT | |
| 2025-01-05 17:43:31 UTC | 12804 | OUT | |
| 2025-01-05 17:43:32 UTC | 1134 | IN | |
| 2025-01-05 17:43:32 UTC | 20 | IN | |
| 2025-01-05 17:43:32 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.6 | 49823 | 172.67.163.221 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:32 UTC | 277 | OUT | |
| 2025-01-05 17:43:32 UTC | 15068 | OUT | |
| 2025-01-05 17:43:33 UTC | 1129 | IN | |
| 2025-01-05 17:43:33 UTC | 20 | IN | |
| 2025-01-05 17:43:33 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.6 | 49833 | 172.67.163.221 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:34 UTC | 283 | OUT | |
| 2025-01-05 17:43:34 UTC | 15331 | OUT | |
| 2025-01-05 17:43:34 UTC | 4631 | OUT | |
| 2025-01-05 17:43:34 UTC | 1139 | IN | |
| 2025-01-05 17:43:34 UTC | 20 | IN | |
| 2025-01-05 17:43:34 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.6 | 49844 | 172.67.163.221 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:35 UTC | 273 | OUT | |
| 2025-01-05 17:43:35 UTC | 886 | OUT | |
| 2025-01-05 17:43:36 UTC | 1132 | IN | |
| 2025-01-05 17:43:36 UTC | 20 | IN | |
| 2025-01-05 17:43:36 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.6 | 49851 | 172.67.163.221 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:36 UTC | 280 | OUT | |
| 2025-01-05 17:43:36 UTC | 1090 | OUT | |
| 2025-01-05 17:43:37 UTC | 1138 | IN | |
| 2025-01-05 17:43:37 UTC | 20 | IN | |
| 2025-01-05 17:43:37 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.6 | 49861 | 172.67.163.221 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:37 UTC | 266 | OUT | |
| 2025-01-05 17:43:37 UTC | 113 | OUT | |
| 2025-01-05 17:43:38 UTC | 1130 | IN | |
| 2025-01-05 17:43:38 UTC | 218 | IN | |
| 2025-01-05 17:43:38 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.6 | 49867 | 185.161.251.21 | 443 | 6036 | C:\Users\user\Desktop\setup.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-05 17:43:39 UTC | 201 | OUT | |
| 2025-01-05 17:43:39 UTC | 249 | IN | |
| 2025-01-05 17:43:39 UTC | 329 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 12:43:08 |
| Start date: | 05/01/2025 |
| Path: | C:\Users\user\Desktop\setup.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc70000 |
| File size: | 75'164'374 bytes |
| MD5 hash: | 6DA280FB9C2DA7913E9C801B4DE02F47 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Function 01335EB8 Relevance: 2.0, Strings: 1, Instructions: 789COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0138E75C Relevance: .7, Instructions: 659COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0138E75C Relevance: .7, Instructions: 659COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0137A0F5 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0137A0F5 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|