Edit tour
Windows
Analysis Report
DodSussex.exe
Overview
General Information
| Sample name: | DodSussex.exe |
| Analysis ID: | 1587450 |
| MD5: | 7d1b12a3e617535c0fe754dabd278393 |
| SHA1: | a491a8dfebe21a4e6ffad330bb5a6bdc24cff56a |
| SHA256: | 7aa257295dc88b4b65d80fa9541bc6b029cf67c47aed445ca4d7ebe7b806e793 |
| Tags: | exeuser-zhuzhu0009 |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Drops PE files with a suspicious file extension
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
DodSussex.exe (PID: 7348 cmdline: "C:\Users\ user\Deskt op\DodSuss ex.exe" MD5: 7D1B12A3E617535C0FE754DABD278393) 
cmd.exe (PID: 7708 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Ri chards Ric hards.cmd && Richard s.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 7796 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7804 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 7844 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7852 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7892 cmdline:
cmd /c md 506480 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 7904 cmdline:
findstr /V "Concert" Tmp MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7916 cmdline:
cmd /c cop y /b ..\Co lombia + . .\Soc + .. \Plate + . .\Reporter + ..\Bar + ..\Lotte ry + ..\Co ntinent f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Sally.com (PID: 7932 cmdline: Sally.com f MD5: 62D09F076E6E0240548C2F837536A46A) - choice.exe (PID: 7948 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.933061+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49835 | 104.102.49.254 | 443 | TCP |
| 2025-01-10T11:54:46.013829+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49846 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:47.026307+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 49853 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:48.081112+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 56439 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:49.136637+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 56448 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:50.287566+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 56458 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:51.521831+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 56467 | 104.21.80.1 | 443 | TCP |
| 2025-01-10T11:54:57.082545+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 56504 | 104.21.80.1 | 443 | TCP |
| 2025-01-10T11:54:58.096622+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.7 | 56509 | 104.21.80.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:46.447439+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49846 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:47.505009+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 49853 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:58.609964+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.7 | 56509 | 104.21.80.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:46.447439+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.7 | 49846 | 104.21.64.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:47.505009+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.7 | 49853 | 104.21.64.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.259729+0100 | 2058210 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 59207 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.155704+0100 | 2058039 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 61761 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.181115+0100 | 2058214 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 50110 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.226191+0100 | 2058216 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 55072 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.215119+0100 | 2058218 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 52588 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.194010+0100 | 2058220 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 56632 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.168312+0100 | 2058222 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 50260 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.270962+0100 | 2058226 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 65292 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.248307+0100 | 2058236 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 52846 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:50.880339+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 56458 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:57.622733+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 56504 | 104.21.80.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:45.433464+0100 | 2858666 | 1 | Domain Observed Used for C2 Detected | 192.168.2.7 | 49835 | 104.102.49.254 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00406301 | |
| Source: | Code function: | 2_2_00406CC7 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_004050F9 | |
| Source: | Code function: | 2_2_004044D1 | |
| Source: | Code function: | 2_2_004038AF | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 2_2_0040737E | |
| Source: | Code function: | 2_2_00406EFE | |
| Source: | Code function: | 2_2_004079A2 | |
| Source: | Code function: | 2_2_004049A8 | |
| Source: | Dropped File: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_004044D1 | |
| Source: | Code function: | 2_2_004024FB | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 2_2_00406328 | |
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Code function: | 2_2_00406301 | |
| Source: | Code function: | 2_2_00406CC7 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_00406328 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 2_2_00406831 | |
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 21 Windows Management Instrumentation | 1 DLL Side-Loading | 12 Process Injection | 11 Masquerading | 2 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 11 Input Capture | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Virtualization/Sandbox Evasion | 11 Input Capture | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 3 Process Discovery | SMB/Windows Admin Shares | 3 Data from Local System | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | 1 Clipboard Data | 14 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 24 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 69% | Virustotal | Browse | ||
| 63% | ReversingLabs | Win32.Trojan.Etset |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| steamcommunity.com | 104.102.49.254 | true | false | high | |
| sputnik-1985.com | 104.21.64.1 | true | false | high | |
| sordid-snaked.cyou | unknown | unknown | false | high | |
| diffuculttan.xyz | unknown | unknown | false | high | |
| effecterectz.xyz | unknown | unknown | false | high | |
| awake-weaves.cyou | unknown | unknown | false | high | |
| immureprech.biz | unknown | unknown | false | high | |
| wrathful-jammy.cyou | unknown | unknown | false | high | |
| deafeninggeh.biz | unknown | unknown | false | high | |
| brendon-sharjen.biz | unknown | unknown | false | high | |
| 212.20.149.52.in-addr.arpa | unknown | unknown | true | unknown | |
| 18.31.95.13.in-addr.arpa | unknown | unknown | false | high | |
| vrBdqvBMJv.vrBdqvBMJv | unknown | unknown | true | unknown | |
| debonairnukk.xyz | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.102.49.254 | steamcommunity.com | United States | 16625 | AKAMAI-ASUS | false | |
| 104.21.64.1 | sputnik-1985.com | United States | 13335 | CLOUDFLARENETUS | false | |
| 104.21.80.1 | unknown | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1587450 |
| Start date and time: | 2025-01-10 11:53:16 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 56s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 23 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | DodSussex.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@22/22@15/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 13.95.31.18, 20.109.210.53
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 05:54:12 | API Interceptor | |
| 07:03:34 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.102.49.254 | Get hash | malicious | Socks5Systemz | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| 104.21.64.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | CMSBrute | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| 104.21.80.1 | Get hash | malicious | Amadey | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | CMSBrute | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| sputnik-1985.com | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| steamcommunity.com | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| AKAMAI-ASUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\506480\Sally.com | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | LummaC | Browse |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 947288 |
| Entropy (8bit): | 6.630612696399572 |
| Encrypted: | false |
| SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
| MD5: | 62D09F076E6E0240548C2F837536A46A |
| SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
| SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
| SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 488285 |
| Entropy (8bit): | 7.999650397726416 |
| Encrypted: | true |
| SSDEEP: | 12288:FXMSSwveqLytb23f98xjkZl4f2t21OAYvRSjd0sK7dF:6rwvqtb23f98xjkQO2ovRHJF |
| MD5: | 1F949F855725B814F3A7EA748F86E1F4 |
| SHA1: | 3A47DA408A2507F5A466022FAAB45F8BAE08AC04 |
| SHA-256: | 081891FB2A0F8F89A270882E562C3699A76C38B8C592F1218A976D2FAB92E37E |
| SHA-512: | 175ED5C06BE096A352D12FFF2B7D4771555A93B4B791177DD6FE063F02FC2374C66E3F3C09E5FF3393A2FD8284C94321CCAEBEC701CADB96E8F7CF4EE7ED5F66 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 59392 |
| Entropy (8bit): | 7.997255022711895 |
| Encrypted: | true |
| SSDEEP: | 1536:BxuDutUd/h0B+WGPRZbRC3t52AsZhRD8dOVwVjcYigt:Bbch0B4fRC3toAsZhh8sVwVAXC |
| MD5: | 1AD3762D9A2E9F7C9C85CAE85C885B44 |
| SHA1: | C359A13948C7CB048D23BBC5DC1A07E27C27C635 |
| SHA-256: | 63DF092C6101513833B688DA8A7726490E2979025F447E6BDEEDB22EB7A75238 |
| SHA-512: | E220C398B3695C367A0D44D353CA96A7AD9F4189DAF081B45F9038B5EC24223635442E4276828DB0D64CF515EB982D354087A73DDF04309871721D8D45510633 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 84992 |
| Entropy (8bit): | 7.998016083121416 |
| Encrypted: | true |
| SSDEEP: | 1536:m+v0U5E/5ZmftbAdSqTNy+UM9vJxI4K9hjAa9bTxBuMDTpfO7LxyEUQTLmMqoZBM:mej5BAdS8o+7JODnAIDThog2TiMqAqz/ |
| MD5: | 041A4A8E5250EB83A858D7A03ABA53EE |
| SHA1: | 428B23DB70ACA46FD23A244204800828F90DCF57 |
| SHA-256: | E0DE517FAF0F6A45571E8D78E06E18547341778197A7B0668E572E6C7601E71C |
| SHA-512: | 65C2C7C9DAD31BFDC1BD860531B23962316B9A8F3326AFA3944BBAB892B5CAEE7D7075293F3ABAF2EC3B9C45D291A7223B3DE2D8DFE1CF9FA257E05E203E5FF5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12125 |
| Entropy (8bit): | 7.9826753280992415 |
| Encrypted: | false |
| SSDEEP: | 192:w8RXmpKMi4oZ8hLP94zhZ0tzMW7pLM0EEzHWq0LYgqC8zqZZUMfWgwiyGiEsAxU0:w8RZMi181PJtzVpLM0T5L+2MOIyGiEy0 |
| MD5: | 56965D446B8B3ED71F331829110A0317 |
| SHA1: | 3A1BF436C4B6339EAEB636C0F447FA0A844A1984 |
| SHA-256: | B1022DB5597F7B1417C9E6091845DA10F1E5BE348C8B476ECD22647F9F03AD4E |
| SHA-512: | 3C55EB27417151505724277F19BD51E32FD902690FE7683CCC04EAC3BFC0A8E6AEBA03F23C3C4B6E8A1BD878D0BDBCE6C6E3A1D58492841A52EA7C70D7B9DBCD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 117760 |
| Entropy (8bit): | 6.298688885908169 |
| Encrypted: | false |
| SSDEEP: | 3072:uZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laWP:uK5vPeDkjGgQaE/l9 |
| MD5: | B2DF4A56E1E5958DAE48BFF97DC8AEAD |
| SHA1: | A15CDB450C252591D99A86531A555957D51648C0 |
| SHA-256: | 3D63854361C945D825D608D2C6E95BECFC84C61EBA99CC00794A8DBF405EDC2A |
| SHA-512: | 4996B0C06F8F0708275C83551860931DE0103B785340D72B1175BF06E73FC050E24976B82979B03B909D3E0F703707A6F8A2EEA00249C665A5DF0419869883DB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 122880 |
| Entropy (8bit): | 6.6329225386334985 |
| Encrypted: | false |
| SSDEEP: | 3072:CPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+Aqt:CPj0nEo3tb2j6AUkB0CThp6vmt |
| MD5: | 71708556E25CE367649554B854216213 |
| SHA1: | 67A404A45755D4D90E86FEB92AD5D79619F4136B |
| SHA-256: | F563F0C1CA619A68157CC8D08F04A2C7296585784BCC0ED92C8FA051F8894B96 |
| SHA-512: | 7F6CCF7A73FA0EF693367877C28B6366EB389C284934C98BA0CA12D4376B299B92746C9FC4CD050AEBA40BD6DAC6E7B5D24C4E814F443F5F84FF8A033809449D |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 116736 |
| Entropy (8bit): | 6.573874067645755 |
| Encrypted: | false |
| SSDEEP: | 3072:HnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coX:HnjphfhnvO5bLezWWt/Dd314V14ZgPX |
| MD5: | 2116D859C28594A21FE39B67325D5E08 |
| SHA1: | 58B61B59E554CF67CCAB0F4339D4C9C1157D8C09 |
| SHA-256: | 0273A1A578D37B7885C7B2A903D0D9C38E029AAA4BB0A75CC94A2B61CCD5FDFC |
| SHA-512: | 7F6D05616088561A1B61409112BCDF73550C48A6A5FDFDCE50FBDD4F139D1246FF656FE2546F5D0B393C4441994D4D288646A2ACEC50D1E742117388B1725A5F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 144384 |
| Entropy (8bit): | 6.6606229613519385 |
| Encrypted: | false |
| SSDEEP: | 3072:r0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRts:ebfSCOMVIPPL/sZ7HS3zcs |
| MD5: | FE316201CD04F114BE8E3C768F1A6A80 |
| SHA1: | EA8C9359CD0E23810B0FE7FB61F483DB2CF27B58 |
| SHA-256: | ABE8E9EDA741B2CE6B323A5F7CBFE50C5EABF7134F5CF7FEE1651D8E621A4C7B |
| SHA-512: | 9B41F31223ADA6028C5D41AAF54D7D7A00BC5A14C41B0D566F8639174487AC8B9020DAB15D0423A68956E2C71FF027EDA358619605F5E7F8E032AF9851743BF5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 97280 |
| Entropy (8bit): | 7.998253899267367 |
| Encrypted: | true |
| SSDEEP: | 1536:JATTbg1G4hdTxxmYmp0iJDn0kcjsTt5+/Ufm/WhpRupaEXM7WF5MBy6HXI9veeQ4:JAz2G4P9x1R0hcjIHlfmWnRupaHquyWu |
| MD5: | 6EF5958F657EF7B6E4F0D63C032FAD68 |
| SHA1: | 9767FA0E554E80A1DF9C793CB71CDA7FF4DA649F |
| SHA-256: | 5D784FD2BAE5208B447CE0C0188CAA4FCE2CE71D8E7E1AD1F9B8BCA41996AD4D |
| SHA-512: | CA27822F826D5C60631C744E836293AA8826663C554B75C1792B02A332CC2E79E2D20320BBA4A2D90666DF6DDAE69B448C8E68B9EBAAB77B649F06103D79B87A |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 54272 |
| Entropy (8bit): | 4.976290237693684 |
| Encrypted: | false |
| SSDEEP: | 384:hjLWWel319stEjFtr+/hdvE6HDyOpbM136KeBzC6GFe46JRoGWbHkdzfkfiCbwHj:hOWel3EYr8qcDP8WBosd0bHazf0Tye41 |
| MD5: | 8997E8FA8A54C9AC2A2D9200621DDA87 |
| SHA1: | 7E9340AF09A3062931B47A752A0931D73CB55877 |
| SHA-256: | 65A20FE7070943DED764E5B73A6873E47E06A85A575C5091B58CF67B47196248 |
| SHA-512: | 00DC1472CAADFE8691DADCD6DEE1363A8B507679B299BF95E74434C0A7F751CFB171052AA1F49D1D7D8FC5B00137B48BBA648FDA031C9E4CDB5E6CDA0F6B87EE |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 58368 |
| Entropy (8bit): | 7.996647918985145 |
| Encrypted: | true |
| SSDEEP: | 768:E27pysg3BiN+H5SlyGDOteYKrAUXJ5wQwtWSnMNHRBYwgTW3C6q1D34c0IOINOnu:vlyFH5LGD00SnsswRU1D3YsonZJmTXlp |
| MD5: | AE35C579D60CAF20B7D597158AD311BA |
| SHA1: | 51A1A3A8725665CC15ACB243BB84E0BB82E96FD9 |
| SHA-256: | 0F00636438353D74C9141C33CF5CDC1570034C6D6B9B64C183F9B32AC71C7758 |
| SHA-512: | F2C86C79448425233EE1D008F87A06CF9A6833D5F7FD3F36F94C96643009754691A5A342F73EA950A27E4A6569F6A35CE023B979B4431E673D19667D9BDF42BC |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 128000 |
| Entropy (8bit): | 6.715435071194161 |
| Encrypted: | false |
| SSDEEP: | 3072:eUDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSAU4Cm:eUDtf0accB3gBmmLsiS+SAhCm |
| MD5: | 1DF09CE2E3FD06F524053E2C8F375F4C |
| SHA1: | D748742BB153C24FCB2A62528CD9F1E862570C47 |
| SHA-256: | AD31A966DADFED0A0ECEB4BAA3F16B04BA71162CA4E7FE975A4E40FA8B47392E |
| SHA-512: | A27F082E95D6321A8696630B384CB580B7DF176B2C49A558A5A91E7067A943604BF9D8532EEB594EA6675EC69F7EF97A5AFF92F139001CBAD79AE23B4C9CCB54 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 66560 |
| Entropy (8bit): | 5.768526831145491 |
| Encrypted: | false |
| SSDEEP: | 1536:hYfv2j62SfuVGHj1vtK7h6R8anHsWccd0vtmgMbFuz08QX:hC2jfTq8QLeAg0Fuz08Q |
| MD5: | 7C1B83F747D65522F2902FFB6D393238 |
| SHA1: | 5A55FB4C5361ADA4CC75BEAE8837FD55E5E88999 |
| SHA-256: | E7950B737C4326E8311D5AFEE2534EC54F07B2453A609961C45DCBEEEA5EAB0F |
| SHA-512: | F29A21AD039F6E5E58C85D0E85377D30EF19E2597BB06C67DEAB7A57DCC60A09B2E68746D5223EB1D5BB2865B81CF923993E91B2257EEB6B81FA8D52589B0B03 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55868 |
| Entropy (8bit): | 6.823164011690287 |
| Encrypted: | false |
| SSDEEP: | 768:Wr2+9BGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:G2+9BGmdATGODv7xvTphAiPChgZ2kOE6 |
| MD5: | C604C81304F1F1FC98EF6268D92387A8 |
| SHA1: | 96469C313EB51A440089BADF2E0871373C2FD611 |
| SHA-256: | A389142EE653858C22F03F48C265CD993E35302FE6F229E9995D8AABD25C5EB3 |
| SHA-512: | C416C6BD81EA909B35699CA1C33E12B4508BB86AF54BFF1EB3CE601CBE171D9011831386DA09A7EC23037B4CD57FFFAC105D92EFE2BCB5ABAC18676C781D71D8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 93184 |
| Entropy (8bit): | 7.9981892073975684 |
| Encrypted: | true |
| SSDEEP: | 1536:uUVws5KfsyD+A9+auNlhk/DDPyDL4HuPeHD5GRNUkALO6g15wZs0wFdVarG:uUShHDzBuOHaPSuPeHDURNv02dVarG |
| MD5: | 02FADF45F4774292D5A717BF9A48F5C0 |
| SHA1: | 315E27BD110F5528869C324BA03182AC411089AD |
| SHA-256: | 07520F6B91F7B845231D1F8ADDFBCDC0C8436E3D22B3B72D70BE9E2706230D66 |
| SHA-512: | CE127B0962B0CB56EFF7CB39BA7637CF9C1A89CC06CE56E8D2A817D898738C4DBE2ED8FEC8B90EF5A57E3202FCA23B868F6542053B6005FFDD0C2744EDFA7ACD |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 17364 |
| Entropy (8bit): | 5.117252077353431 |
| Encrypted: | false |
| SSDEEP: | 384:eAEc99Cegad6HZ1yiTfo/tY2vtyaPChY8UD4n1ystfb1hL:eWuad651jTymykGChY8UD4n42fxhL |
| MD5: | 19347C9378E50E89CCE8AFF3B4386362 |
| SHA1: | FC04CD4CE3F1EDABEBE8946E0F22C91963DEB0E9 |
| SHA-256: | 6F0F5A2D3A9E3C45B74526F44420612DFF2CCA2C270074FBCEDF4E2FB8ED5F5B |
| SHA-512: | 9571D75E72B51737D5B57EF4297A3D1C787A8A7C31A3DDB6F5A5717CE3F9A1FE1AF74E11DE162F70402C83913EE90DBD0EE53AEEAA9CBA3553D33D2CAC9C6A8E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 17364 |
| Entropy (8bit): | 5.117252077353431 |
| Encrypted: | false |
| SSDEEP: | 384:eAEc99Cegad6HZ1yiTfo/tY2vtyaPChY8UD4n1ystfb1hL:eWuad651jTymykGChY8UD4n42fxhL |
| MD5: | 19347C9378E50E89CCE8AFF3B4386362 |
| SHA1: | FC04CD4CE3F1EDABEBE8946E0F22C91963DEB0E9 |
| SHA-256: | 6F0F5A2D3A9E3C45B74526F44420612DFF2CCA2C270074FBCEDF4E2FB8ED5F5B |
| SHA-512: | 9571D75E72B51737D5B57EF4297A3D1C787A8A7C31A3DDB6F5A5717CE3F9A1FE1AF74E11DE162F70402C83913EE90DBD0EE53AEEAA9CBA3553D33D2CAC9C6A8E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 4.9070078868344025 |
| Encrypted: | false |
| SSDEEP: | 768:YGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:5Kaj6iTcPAsAhxjgarB |
| MD5: | E8DC1F5FD22B25776F5CB7ACD0A58905 |
| SHA1: | CB81992B9139C0BC3C2A1577FE5EE1F4E7A78D61 |
| SHA-256: | C15F40C26B6EBFD6EC81328063E128AC18951AC7D9BCE31A4166DBCEC4790220 |
| SHA-512: | 35215CFC7AC1C8CCD56658659C84C141F01B5F88843031DF6828178FBF8548721E2E8660EA93AB447DE4D9AF35B4BBA068EE1FA05E7B6EC8D745B2C2D97DAF24 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 82944 |
| Entropy (8bit): | 7.997794968290599 |
| Encrypted: | true |
| SSDEEP: | 1536:1ldS4u+Xj+VpxqV+WeryjHHpEU4Fi2a5ggKmzVmv16Y7ZIYtpvXZ:1ldS4DXIxmzuyjnpEUyja58Hdj7ZJr |
| MD5: | 1D1356C390684ABA866922E138AD1858 |
| SHA1: | 1348B49C25E18A2EE6CEE60CFEF5E1E14D5B65B0 |
| SHA-256: | D1720BF3248BF97C115712D3F7EFF489F4A23C03BD7BDA1D8DD738C5E36814C4 |
| SHA-512: | 6621BEC0296B542C2A5D95E34218698DDB7FF80C2D3D782E3407A0A9188353F2FCDA4FCD59E6A468E7C9EF899410EB56C32BE7454B6728D87C70ED00734F570F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 74752 |
| Entropy (8bit): | 5.595783601346845 |
| Encrypted: | false |
| SSDEEP: | 768:S7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwuXc/mex/J:eklMBNIimuzaAwusPb |
| MD5: | 9E36A5516B4A2927DF2C56A253742E2F |
| SHA1: | 1B7547B7840B3B91DEDCE4F0FC558B702826D106 |
| SHA-256: | 1C998AF72B77B5FF42D467BE77386E4CAAB80179A6430C6D88A8BD62C4CABFDB |
| SHA-512: | 338A069FED59AD867464553372705833A160694447E2AEE527747EF630C00FCD4263637D9FC2ECB2F4074E4EDA0BB0D0A8EE19CF09A36D928E6A46FF60D8BABA |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\DodSussex.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 547 |
| Entropy (8bit): | 4.359972911732652 |
| Encrypted: | false |
| SSDEEP: | 6:a88qjvVg3F+X32+hZCt7HSbYwClS6CSNEcixN3Qdp94sA4PvMt/66h1I2YgJ62/K:yyGSG+fCtJfjEvadTfA43k66h1ICdC3n |
| MD5: | C6833D266E5A297E203CD411AF09DCBE |
| SHA1: | 749204195AD8425765FEC02DD861903BB5EEF5BE |
| SHA-256: | 04EB252DDAFEA87AC3D5DF21C8D6EC9EB39FFC56D9D6C225090178B1C128B4BA |
| SHA-512: | 2B25DAC4FCD31F20AE599F102507C565EF31D1F091192FE29D7E50FB792109DCAD9F1C40CF85EED5CA11E68774535EBC99E9938756EE1F37972C1A54A200FE0C |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.983375386852366 |
| TrID: |
|
| File name: | DodSussex.exe |
| File size: | 1'678'847 bytes |
| MD5: | 7d1b12a3e617535c0fe754dabd278393 |
| SHA1: | a491a8dfebe21a4e6ffad330bb5a6bdc24cff56a |
| SHA256: | 7aa257295dc88b4b65d80fa9541bc6b029cf67c47aed445ca4d7ebe7b806e793 |
| SHA512: | 6dfd70238014b73a92818fcc637d829a99e05edd7e77a0df9d81f363de1be3cb352da5d340259dff9914cb3dcc601e9de2b9e6cfcff59a6711ddd0c3303e6011 |
| SSDEEP: | 24576:Eu/J5gf4UvzU8YxX6/hCx3MVpBR60dRpu/A8vRYgxOrDrDvrQy/l5LtElfuatcqX:t/+4U7yS60fQyrEWl5hElfuEoMfJ |
| TLSH: | 73753324AF7E85BECD661A33A072E11551F87D292934C393E3A49BE972713C17E80723 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8..... |
 | |
| Icon Hash: | 39f0f0e8a8f0f030 |
| Entrypoint: | 0x4038af |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | be41bf7b8cc010b614bd36bbca606973 |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 15E2254C8FC88D4A538BA4FB09C0019E |
| Thumbprint SHA-1: | A731D48CD8E2A99BB91F7C096F40CEDF3A468BA6 |
| Thumbprint SHA-256: | 866B46DC0876C0B9C85AFE6569E49352A021C255C8E7680DF6AC1FDBAD677033 |
| Serial: | 03AA6492DE9D96A90A4BCA97BEADB44A |
| Instruction |
|---|
| sub esp, 000002D4h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| push 00000020h |
| xor ebp, ebp |
| pop esi |
| mov dword ptr [esp+18h], ebp |
| mov dword ptr [esp+10h], 0040A268h |
| mov dword ptr [esp+14h], ebp |
| call dword ptr [00409030h] |
| push 00008001h |
| call dword ptr [004090B4h] |
| push ebp |
| call dword ptr [004092C0h] |
| push 00000008h |
| mov dword ptr [0047EB98h], eax |
| call 00007FBE14C7072Bh |
| push ebp |
| push 000002B4h |
| mov dword ptr [0047EAB0h], eax |
| lea eax, dword ptr [esp+38h] |
| push eax |
| push ebp |
| push 0040A264h |
| call dword ptr [00409184h] |
| push 0040A24Ch |
| push 00476AA0h |
| call 00007FBE14C7040Dh |
| call dword ptr [004090B0h] |
| push eax |
| mov edi, 004CF0A0h |
| push edi |
| call 00007FBE14C703FBh |
| push ebp |
| call dword ptr [00409134h] |
| cmp word ptr [004CF0A0h], 0022h |
| mov dword ptr [0047EAB8h], eax |
| mov eax, edi |
| jne 00007FBE14C6DCFAh |
| push 00000022h |
| pop esi |
| mov eax, 004CF0A2h |
| push esi |
| push eax |
| call 00007FBE14C700D1h |
| push eax |
| call dword ptr [00409260h] |
| mov esi, eax |
| mov dword ptr [esp+1Ch], esi |
| jmp 00007FBE14C6DD83h |
| push 00000020h |
| pop ebx |
| cmp ax, bx |
| jne 00007FBE14C6DCFAh |
| add esi, 02h |
| cmp word ptr [esi], bx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xac40 | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x100000 | 0x97dce | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1974a7 | 0x2958 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x86000 | 0x994 | .ndata |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x9000 | 0x2d0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x728c | 0x7400 | 419d4e1be1ac35a5db9c47f553b27cea | False | 0.6566540948275862 | data | 6.499708590628113 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x9000 | 0x2b6e | 0x2c00 | cca1ca3fbf99570f6de9b43ce767f368 | False | 0.3678977272727273 | data | 4.497932535153822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xc000 | 0x72b9c | 0x200 | 77f0839f8ebea31040e462523e1c770e | False | 0.279296875 | data | 1.8049406284608531 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x7f000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x100000 | 0x97dce | 0x97e00 | 7bfb2ac429518f76463dbcd9bed70ad5 | False | 0.9898019547325103 | data | 7.97537267897671 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x198000 | 0xfd6 | 0x1000 | 60accd1b2efa87c8f4175e6b74b81261 | False | 0.59912109375 | data | 5.600285288181686 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x100280 | 0x88925 | PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced | English | United States | 0.9998015720499037 |
| RT_ICON | 0x188ba8 | 0x865c | PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced | English | United States | 1.0006105361088498 |
| RT_ICON | 0x191204 | 0x2a21 | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0010199350950395 |
| RT_ICON | 0x193c28 | 0x2668 | Device independent bitmap graphic, 48 x 96 x 32, image size 9792 | English | United States | 0.6335435313262815 |
| RT_ICON | 0x196290 | 0x1128 | Device independent bitmap graphic, 32 x 64 x 32, image size 4352 | English | United States | 0.671448087431694 |
| RT_ICON | 0x1973b8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.7712765957446809 |
| RT_DIALOG | 0x197820 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x197920 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x197a3c | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x197a9c | 0x5a | Targa image data - Map 32 x 35109 x 8 +1 | English | United States | 0.7888888888888889 |
| RT_MANIFEST | 0x197af8 | 0x2d6 | XML 1.0 document, ASCII text, with very long lines (726), with no line terminators | English | United States | 0.5647382920110193 |
| DLL | Import |
|---|---|
| KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
| USER32.dll | GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW |
| GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
| SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
| ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
| COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
| ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
| VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-10T11:54:44.155704+0100 | 2058039 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz) | 1 | 192.168.2.7 | 61761 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.168312+0100 | 2058222 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) | 1 | 192.168.2.7 | 50260 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.181115+0100 | 2058214 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) | 1 | 192.168.2.7 | 50110 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.194010+0100 | 2058220 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) | 1 | 192.168.2.7 | 56632 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.215119+0100 | 2058218 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) | 1 | 192.168.2.7 | 52588 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.226191+0100 | 2058216 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) | 1 | 192.168.2.7 | 55072 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.248307+0100 | 2058236 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) | 1 | 192.168.2.7 | 52846 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.259729+0100 | 2058210 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) | 1 | 192.168.2.7 | 59207 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.270962+0100 | 2058226 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) | 1 | 192.168.2.7 | 65292 | 1.1.1.1 | 53 | UDP |
| 2025-01-10T11:54:44.933061+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49835 | 104.102.49.254 | 443 | TCP |
| 2025-01-10T11:54:45.433464+0100 | 2858666 | ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup | 1 | 192.168.2.7 | 49835 | 104.102.49.254 | 443 | TCP |
| 2025-01-10T11:54:46.013829+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49846 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:46.447439+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.7 | 49846 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:46.447439+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49846 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:47.026307+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 49853 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:47.505009+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.7 | 49853 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:47.505009+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 49853 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:48.081112+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 56439 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:49.136637+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 56448 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:50.287566+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 56458 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:50.880339+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.7 | 56458 | 104.21.64.1 | 443 | TCP |
| 2025-01-10T11:54:51.521831+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 56467 | 104.21.80.1 | 443 | TCP |
| 2025-01-10T11:54:57.082545+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 56504 | 104.21.80.1 | 443 | TCP |
| 2025-01-10T11:54:57.622733+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.7 | 56504 | 104.21.80.1 | 443 | TCP |
| 2025-01-10T11:54:58.096622+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.7 | 56509 | 104.21.80.1 | 443 | TCP |
| 2025-01-10T11:54:58.609964+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.7 | 56509 | 104.21.80.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 11:54:44.297748089 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:44.297801971 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.298135996 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:44.301043987 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:44.301059961 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.932292938 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.933060884 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:44.936383009 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:44.936402082 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.936676979 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.978861094 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:44.995255947 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.039340973 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.433418036 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.433448076 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.433476925 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.433490992 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.433492899 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.433507919 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.433517933 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.433536053 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.433594942 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.530283928 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.530349016 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.530507088 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.530525923 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.530792952 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.535182953 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.535286903 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.535291910 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.535337925 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.536406994 CET | 49835 | 443 | 192.168.2.7 | 104.102.49.254 |
| Jan 10, 2025 11:54:45.536432028 CET | 443 | 49835 | 104.102.49.254 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.553771019 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:45.553812027 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.553919077 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:45.554318905 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:45.554332972 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.013662100 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.013828993 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.015340090 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.015351057 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.015552998 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.016848087 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.016848087 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.016918898 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.447530031 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.447767973 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.447824001 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.448049068 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.448064089 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.448095083 CET | 49846 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.448101997 CET | 443 | 49846 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.564776897 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.564834118 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:46.564919949 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.565191031 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:46.565223932 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.026195049 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.026307106 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.027510881 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.027542114 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.027787924 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.028975964 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.029019117 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.029067039 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.142616034 CET | 56435 | 53 | 192.168.2.7 | 162.159.36.2 |
| Jan 10, 2025 11:54:47.147439003 CET | 53 | 56435 | 162.159.36.2 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.147696018 CET | 56435 | 53 | 192.168.2.7 | 162.159.36.2 |
| Jan 10, 2025 11:54:47.152507067 CET | 53 | 56435 | 162.159.36.2 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505029917 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505078077 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505105019 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505151987 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505177975 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505187035 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.505211115 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505223989 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.505224943 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505251884 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.505629063 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.505685091 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.505708933 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.506026030 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.506084919 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.506097078 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.556946039 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.556962967 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.592374086 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.592401981 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.592489004 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.592498064 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.592567921 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.592809916 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.592823982 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.592852116 CET | 49853 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.592864990 CET | 443 | 49853 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.611444950 CET | 56435 | 53 | 192.168.2.7 | 162.159.36.2 |
| Jan 10, 2025 11:54:47.615987062 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.616024971 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.616106033 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.616468906 CET | 53 | 56435 | 162.159.36.2 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.616563082 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:47.616561890 CET | 56435 | 53 | 192.168.2.7 | 162.159.36.2 |
| Jan 10, 2025 11:54:47.616576910 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.081032038 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.081111908 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.082575083 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.082582951 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.082798004 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.084091902 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.084300995 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.084331989 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.638751984 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.638844967 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.638940096 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.639219999 CET | 56439 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.639226913 CET | 443 | 56439 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.654794931 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.654825926 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:48.654928923 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.655215025 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:48.655227900 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.136562109 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.136636972 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.138139009 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.138149977 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.138389111 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.139728069 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.139832973 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.139866114 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.139909029 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.139915943 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.669775009 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.669876099 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.669944048 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.670070887 CET | 56448 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.670092106 CET | 443 | 56448 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.820102930 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.820137978 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.820204973 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.820501089 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:49.820523024 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:50.287472010 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:50.287565947 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:50.288939953 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:50.288949013 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:50.289277077 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:50.290491104 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:50.290709019 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:50.290749073 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:50.290819883 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:50.290827990 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:50.880354881 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:50.880485058 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:50.880563021 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:50.880789042 CET | 56458 | 443 | 192.168.2.7 | 104.21.64.1 |
| Jan 10, 2025 11:54:50.880809069 CET | 443 | 56458 | 104.21.64.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:51.036675930 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:51.036731958 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:51.037132025 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:51.037178040 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:51.037187099 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:51.521714926 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:51.521831036 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:51.523196936 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:51.523216009 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:51.523622036 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:51.524926901 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:51.525021076 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:51.525028944 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:56.386010885 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:56.386101961 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:56.386192083 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:56.386379957 CET | 56467 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:56.386400938 CET | 443 | 56467 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:56.532448053 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:56.532496929 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:56.532591105 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:56.532857895 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:56.532872915 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.082417965 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.082545042 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.083894014 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.083903074 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.084624052 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.085721970 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.085804939 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.085810900 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.622737885 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.622848988 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.623016119 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.623466015 CET | 56504 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.623486042 CET | 443 | 56504 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.635669947 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.635725021 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:57.635829926 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.636131048 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:57.636148930 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:58.096527100 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:58.096621990 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:58.153260946 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:58.153299093 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:58.153717041 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:58.163453102 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:58.163491011 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:58.163608074 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:58.609985113 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:58.610133886 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:58.610227108 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:58.610336065 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:58.610354900 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:58.610425949 CET | 56509 | 443 | 192.168.2.7 | 104.21.80.1 |
| Jan 10, 2025 11:54:58.610434055 CET | 443 | 56509 | 104.21.80.1 | 192.168.2.7 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 11:54:17.508805037 CET | 58806 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:17.517395973 CET | 53 | 58806 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.155704021 CET | 61761 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.166321039 CET | 53 | 61761 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.168312073 CET | 50260 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.178109884 CET | 53 | 50260 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.181114912 CET | 50110 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.191612959 CET | 53 | 50110 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.194010019 CET | 56632 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.213541031 CET | 53 | 56632 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.215118885 CET | 52588 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.224069118 CET | 53 | 52588 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.226191044 CET | 55072 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.245301962 CET | 53 | 55072 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.248306990 CET | 52846 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.257072926 CET | 53 | 52846 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.259728909 CET | 59207 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.269309044 CET | 53 | 59207 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.270962000 CET | 65292 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.280795097 CET | 53 | 65292 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:44.284280062 CET | 63402 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:44.291198015 CET | 53 | 63402 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:45.540623903 CET | 53025 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:45.552536964 CET | 53 | 53025 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.142080069 CET | 53 | 55634 | 162.159.36.2 | 192.168.2.7 |
| Jan 10, 2025 11:54:47.619143963 CET | 57900 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:47.626909971 CET | 53 | 57900 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:49.104854107 CET | 50708 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:49.112034082 CET | 53 | 50708 | 1.1.1.1 | 192.168.2.7 |
| Jan 10, 2025 11:54:51.021073103 CET | 60495 | 53 | 192.168.2.7 | 1.1.1.1 |
| Jan 10, 2025 11:54:51.035681009 CET | 53 | 60495 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 11:54:17.508805037 CET | 192.168.2.7 | 1.1.1.1 | 0xecb8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.155704021 CET | 192.168.2.7 | 1.1.1.1 | 0xf925 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.168312073 CET | 192.168.2.7 | 1.1.1.1 | 0xf6a9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.181114912 CET | 192.168.2.7 | 1.1.1.1 | 0xd5fe | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.194010019 CET | 192.168.2.7 | 1.1.1.1 | 0x8894 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.215118885 CET | 192.168.2.7 | 1.1.1.1 | 0xa69d | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.226191044 CET | 192.168.2.7 | 1.1.1.1 | 0x9373 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.248306990 CET | 192.168.2.7 | 1.1.1.1 | 0xc5cc | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.259728909 CET | 192.168.2.7 | 1.1.1.1 | 0x12b0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.270962000 CET | 192.168.2.7 | 1.1.1.1 | 0xda9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.284280062 CET | 192.168.2.7 | 1.1.1.1 | 0xecec | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:45.540623903 CET | 192.168.2.7 | 1.1.1.1 | 0xdc67 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:47.619143963 CET | 192.168.2.7 | 1.1.1.1 | 0xca33 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:49.104854107 CET | 192.168.2.7 | 1.1.1.1 | 0x525d | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:51.021073103 CET | 192.168.2.7 | 1.1.1.1 | 0x825e | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 11:54:17.517395973 CET | 1.1.1.1 | 192.168.2.7 | 0xecb8 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.166321039 CET | 1.1.1.1 | 192.168.2.7 | 0xf925 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.178109884 CET | 1.1.1.1 | 192.168.2.7 | 0xf6a9 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.191612959 CET | 1.1.1.1 | 192.168.2.7 | 0xd5fe | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.213541031 CET | 1.1.1.1 | 192.168.2.7 | 0x8894 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.224069118 CET | 1.1.1.1 | 192.168.2.7 | 0xa69d | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.245301962 CET | 1.1.1.1 | 192.168.2.7 | 0x9373 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.257072926 CET | 1.1.1.1 | 192.168.2.7 | 0xc5cc | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.269309044 CET | 1.1.1.1 | 192.168.2.7 | 0x12b0 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.280795097 CET | 1.1.1.1 | 192.168.2.7 | 0xda9 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:44.291198015 CET | 1.1.1.1 | 192.168.2.7 | 0xecec | No error (0) | 104.102.49.254 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:45.552536964 CET | 1.1.1.1 | 192.168.2.7 | 0xdc67 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:45.552536964 CET | 1.1.1.1 | 192.168.2.7 | 0xdc67 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:45.552536964 CET | 1.1.1.1 | 192.168.2.7 | 0xdc67 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:45.552536964 CET | 1.1.1.1 | 192.168.2.7 | 0xdc67 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:45.552536964 CET | 1.1.1.1 | 192.168.2.7 | 0xdc67 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:45.552536964 CET | 1.1.1.1 | 192.168.2.7 | 0xdc67 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:45.552536964 CET | 1.1.1.1 | 192.168.2.7 | 0xdc67 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:47.626909971 CET | 1.1.1.1 | 192.168.2.7 | 0xca33 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:49.112034082 CET | 1.1.1.1 | 192.168.2.7 | 0x525d | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false | |
| Jan 10, 2025 11:54:51.035681009 CET | 1.1.1.1 | 192.168.2.7 | 0x825e | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:51.035681009 CET | 1.1.1.1 | 192.168.2.7 | 0x825e | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:51.035681009 CET | 1.1.1.1 | 192.168.2.7 | 0x825e | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:51.035681009 CET | 1.1.1.1 | 192.168.2.7 | 0x825e | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:51.035681009 CET | 1.1.1.1 | 192.168.2.7 | 0x825e | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:51.035681009 CET | 1.1.1.1 | 192.168.2.7 | 0x825e | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Jan 10, 2025 11:54:51.035681009 CET | 1.1.1.1 | 192.168.2.7 | 0x825e | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49835 | 104.102.49.254 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:44 UTC | 219 | OUT | |
| 2025-01-10 10:54:45 UTC | 1905 | IN | |
| 2025-01-10 10:54:45 UTC | 14479 | IN | |
| 2025-01-10 10:54:45 UTC | 16384 | IN | |
| 2025-01-10 10:54:45 UTC | 3768 | IN | |
| 2025-01-10 10:54:45 UTC | 495 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49846 | 104.21.64.1 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:46 UTC | 263 | OUT | |
| 2025-01-10 10:54:46 UTC | 8 | OUT | |
| 2025-01-10 10:54:46 UTC | 1123 | IN | |
| 2025-01-10 10:54:46 UTC | 7 | IN | |
| 2025-01-10 10:54:46 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49853 | 104.21.64.1 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:47 UTC | 264 | OUT | |
| 2025-01-10 10:54:47 UTC | 86 | OUT | |
| 2025-01-10 10:54:47 UTC | 1129 | IN | |
| 2025-01-10 10:54:47 UTC | 240 | IN | |
| 2025-01-10 10:54:47 UTC | 1369 | IN | |
| 2025-01-10 10:54:47 UTC | 1369 | IN | |
| 2025-01-10 10:54:47 UTC | 192 | IN | |
| 2025-01-10 10:54:47 UTC | 1369 | IN | |
| 2025-01-10 10:54:47 UTC | 1369 | IN | |
| 2025-01-10 10:54:47 UTC | 1369 | IN | |
| 2025-01-10 10:54:47 UTC | 1369 | IN | |
| 2025-01-10 10:54:47 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 56439 | 104.21.64.1 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:48 UTC | 272 | OUT | |
| 2025-01-10 10:54:48 UTC | 12791 | OUT | |
| 2025-01-10 10:54:48 UTC | 1127 | IN | |
| 2025-01-10 10:54:48 UTC | 20 | IN | |
| 2025-01-10 10:54:48 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 56448 | 104.21.64.1 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:49 UTC | 281 | OUT | |
| 2025-01-10 10:54:49 UTC | 15077 | OUT | |
| 2025-01-10 10:54:49 UTC | 1130 | IN | |
| 2025-01-10 10:54:49 UTC | 20 | IN | |
| 2025-01-10 10:54:49 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 56458 | 104.21.64.1 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:50 UTC | 280 | OUT | |
| 2025-01-10 10:54:50 UTC | 15331 | OUT | |
| 2025-01-10 10:54:50 UTC | 5065 | OUT | |
| 2025-01-10 10:54:50 UTC | 1129 | IN | |
| 2025-01-10 10:54:50 UTC | 20 | IN | |
| 2025-01-10 10:54:50 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 56467 | 104.21.80.1 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:51 UTC | 275 | OUT | |
| 2025-01-10 10:54:51 UTC | 1217 | OUT | |
| 2025-01-10 10:54:56 UTC | 1121 | IN | |
| 2025-01-10 10:54:56 UTC | 20 | IN | |
| 2025-01-10 10:54:56 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.7 | 56504 | 104.21.80.1 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:57 UTC | 277 | OUT | |
| 2025-01-10 10:54:57 UTC | 1126 | OUT | |
| 2025-01-10 10:54:57 UTC | 1124 | IN | |
| 2025-01-10 10:54:57 UTC | 20 | IN | |
| 2025-01-10 10:54:57 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.7 | 56509 | 104.21.80.1 | 443 | 7932 | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-01-10 10:54:58 UTC | 265 | OUT | |
| 2025-01-10 10:54:58 UTC | 121 | OUT | |
| 2025-01-10 10:54:58 UTC | 1128 | IN | |
| 2025-01-10 10:54:58 UTC | 54 | IN | |
| 2025-01-10 10:54:58 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 2 |
| Start time: | 05:54:11 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\DodSussex.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'678'847 bytes |
| MD5 hash: | 7D1B12A3E617535C0FE754DABD278393 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 05:54:12 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x410000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 05:54:12 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd00000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 05:54:13 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 05:54:13 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 05:54:14 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\tasklist.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x10000 |
| File size: | 79'360 bytes |
| MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 05:54:14 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 05:54:14 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x410000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 05:54:15 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\findstr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 29'696 bytes |
| MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 05:54:15 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x410000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 05:54:15 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\AppData\Local\Temp\506480\Sally.com |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xff0000 |
| File size: | 947'288 bytes |
| MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 05:54:15 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x3e0000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 17.7% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 21% |
| Total number of Nodes: | 1482 |
| Total number of Limit Nodes: | 27 |
Graph
Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405958 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 233stringregistrylibraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406831 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 212stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004079A2 Relevance: .3, Instructions: 347COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040737E Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|